Firewalling revisited...

Björn Lindberg d95-bli at
Thu Oct 18 12:16:28 PDT 2001

First of all, I really appreciate your feedback. it is an interesting

Henning Rohde wrote:

> > I agree. The reason I do it this way is because I want to be able to ssh
> > into my internal box from the outside, eg from school. I also want to be
> > able to run X clients through that ssh-tunnel.
> Personally I prefer to do this in 2 steps: first log?in?to the router,
> second into the client.

I agree that's probably safer. I suspect that tunneling X wouldn't work
that way though, especially since the router doesn't even run X.

> OK, that depends on your concept:
> If you put a second machine into your net and start a webserver on it,
> everything is OK after you've altered your routing-scripts:
> iptables -t nat -A PREROUTING -i $EXTDEV --dport 80 -j DNAT --to
> iptables -t nat -A PREROUTING -i $EXTDEV --dport !80 -j DNAT --to192.168.1.1
> The case I've been thinking about is, that you were having two clients
> behind your router:
> Consider you're surfing at your desktop and your best friend is sitting
> infront of his notebook, both of you compete in finding the bestlooking
> girl in the whole internet!     ;-)
> If you would do this without customizing your scripts
> would take precedence before the automatical 'back-route' you refered to,
> because it affects the packet _before_ routing.
> Because of this rule any data coming-in into the external interface of your
> router would be sent to your desktop, your mate might try to start a
> connection to any a website from his laptop, but he would not see any image.

>From Rusty's guide to NAT:

"At each of the points above, when a packet passes we look up what
connection it is associated with. If it's a new connection, we look up
the corresponding chain in the NAT table to see what to do with it. The
answer it gives will apply to all future packets on that connection."

So, although I haven't tried it, it seems to me that only the first
packet in a connection gets run through the NAT chains. Since the first
packet in those connections would emmanate from their respective boxes
(internal), the whole connection would follow that route.

> BTW, in one of my previous postings I asked you to verify your concept, did
> it prove to work as you want it to?
> E.g., ssh from school to your internal client, X11-forward, X11-tunnel and
> so on...

I can ssh to school and back again. I can also start X clients on the
school computer from home, and I can ssh back home again and start an X
client. So I haven't actually tried it in front of a computer at school
yet, but it seems to work.

> Do me a please and send me the output of a 'traceroute -v' to your internal
> client, started on some box at school, I'm interested in the responses your
> router and your client send.

I did this, but it didn't show anything particular, only that my IP
recieved the packet. The router/internal box step wasn't visible. If you
really want this log I can mail it to you.

Unsubscribe: send email to listar at
and put 'unsubscribe blfs-support' in the subject header of the message

More information about the blfs-support mailing list