[Gllug] Routing and packetfiltering public IPs
Bruce Richardson
itsbruce at uklinux.net
Sat Nov 26 12:12:25 UTC 2005
On Sat, Nov 26, 2005 at 11:29:38AM +0000, Anthony wrote:
>
> If you NAT to private IPs, you still lose out. If you simply route
> (which confusingly comes under NAT in iptables), you can still filter
> packets just the same for single firewall justice.
I am not a fan of using iptables to control routing (not directly,
anyway). You can usually achieve a much cleaner solution using the
kernel's routing tables, IMO. The most I would do with iptables, as far
as routing is concerned, is add a firewall mark (because the routing
policies can work with that).
<tangent> Netfilter has such a stupid bloody architecture. 3 tables
with no way to share logic between them. No way to treat a chain as a
function. Experimental modules that might (partially) address this
unmaintained and unstable. Bleargh. *BSD pf is hugely better in most
contexts.</tangent>
--
Bruce
A problem shared brings the consolation that someone else is now
feeling as miserable as you.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20051126/7fd3c6f4/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list