holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Update FAQ regarding ACCEPT/DNAT

Browse Source
This commit is contained in:
Tom Eastep 2009-10-02 10:45:56 -07:00
parent a87cb7b95d
commit 3171d3bfc2
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/FAQ.xml
View File

@ -534,7 +534,13 @@ REDIRECT net 22 tcp 9022</programlisting>
to go the opposite direction from SNAT/MASQUERADE. So if you masquerade to go the opposite direction from SNAT/MASQUERADE. So if you masquerade
or use SNAT from your local network to the Internet then you will need or use SNAT from your local network to the Internet then you will need
to use DNAT rules to allow connections from the Internet to your local to use DNAT rules to allow connections from the Internet to your local
network. You also want to use DNAT rules when you intentionally want to network.<note>
<para>If you use both 1:1 NAT and SNAT/MASQUERADE, those connections
that are subject to 1:1 NAT should use ACCEPT rather than DNAT.
Note, however, that DNAT can be used to override 1:1 NAT so as to
redirect a connection to a different internal system or port than
would be the case using 1:1 NAT.</para>
</note> You also want to use DNAT rules when you intentionally want to
rewrite the destination IP address or port number. In all other cases, rewrite the destination IP address or port number. In all other cases,
you use ACCEPT unless you need to hijack connections as they go through you use ACCEPT unless you need to hijack connections as they go through
your firewall and handle them on the firewall box itself; in that case, your firewall and handle them on the firewall box itself; in that case,