IPTABLES

Once again I am working on my firewall using iptables
I have studied Robert Spotswood firewall script.

It logs packets with (at the end of the script):
/sbin/iptables -t nat -A PREROUTING \
-j LOG --log-level info \
--log-prefix "PreNat logging:"
/sbin/iptables -t nat -A POSTROUTING \
-j LOG --log-level info \
--log-prefix "PostNat logging:"
/sbin/iptables -t nat -A OUTPUT \
-j LOG --log-level info \
--log-prefix "Out NAT logging:"

That makes SSH log an entry into the log file as
( / line break insertedby me here):
May 1 08:59:23 server kernel: PreNat logging:IN=eth1 \
OUT=MAC=00:a0:c9:59:b4:02:00:07:95:40:e3:85:08:00 \
SRC=192.168.0.231DST=192.168.0.1 LEN=60 TOS=0x00 \
PREC=0x00 TTL=64 ID=43347 DF PROTO=TCP SPT=43344 \
DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

I placed the following (to get rid of the log entry):
/sbin/iptables-t nat -A PREROUTING -i eth1 -p udp \
-s 192.168.0.0/24 --sport 32768:61001 \
--dport 22 \
-j ACCEPT

My questions are:

Is that proper?

If the packet is accepted in the nat table does it still travel to the
INPUT, OUTPUT and FORWARD filters or are they bypassed?

Should you use nat PREROUTING to filter packets?

--
Tayo'y Mga Pinoy

1. Your log entry states PROTO=TCP (which is what takes
place for ssh connections) but you use -p udp. This won't work.

2. According to the log entry, you don't perform any kind
of forwarding thus you don't need NAT at all. I guess

iptables -A INPUT -i eth1 -s 192.168.0.0/24 \
-p tcp --sport 32768:61001 --dport 22 -m state \
--state NEW,ESTABLISHED -j ACCEPT

will do the work. Notice though that this rule won't
work either for windoops clients or Linux boxes with
less than 128Mb RAM.

Mikhail

Baho Utot <baho-utot@columbus.rr.com> wrote in
news:pan.2005.05.01.13.23.28.697704@columbus.rr.co m:

> Once again I am working on my firewall using iptables
> I have studied Robert Spotswood firewall script.
>
> It logs packets with (at the end of the script):
> /sbin/iptables -t nat -A PREROUTING \
> -j LOG --log-level info \
> --log-prefix "PreNat logging:"
> /sbin/iptables -t nat -A POSTROUTING \
> -j LOG --log-level info \
> --log-prefix "PostNat logging:"
> /sbin/iptables -t nat -A OUTPUT \
> -j LOG --log-level info \
> --log-prefix "Out NAT logging:"
>
> That makes SSH log an entry into the log file as
> ( / line break insertedby me here):
> May 1 08:59:23 server kernel: PreNat logging:IN=eth1 \
> OUT=MAC=00:a0:c9:59:b4:02:00:07:95:40:e3:85:08:00 \
> SRC=192.168.0.231DST=192.168.0.1 LEN=60 TOS=0x00 \
> PREC=0x00 TTL=64 ID=43347 DF PROTO=TCP SPT=43344 \
> DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
>
> I placed the following (to get rid of the log entry):
> /sbin/iptables-t nat -A PREROUTING -i eth1 -p udp \
> -s 192.168.0.0/24 --sport 32768:61001 \
> --dport 22 \
> -j ACCEPT
>
> My questions are:
>
> Is that proper?
>
> If the packet is accepted in the nat table does it still travel to the
> INPUT, OUTPUT and FORWARD filters or are they bypassed?

See this flowchart:

http://www.kalamazoolinux.org/presen...7/iptflow.html

If I am interpreting this correctly, prerouting is only applicable to
packets that go to one of INPUT table or the FORWARD table. There appears
to be no way to bypass this if iptables is active. The OUTPUT table is only
used for packets that originate on the firewall itself and the flow chart
shows that the OUTPUT table is used before POSTROUTING.

Klazmon.




>
> Should you use nat PREROUTING to filter packets?
>

On Tue, 03 May 2005 12:04:59 +1200, Llanzlan Klazmon wrote:

>
> See this flowchart:
>
> http://www.kalamazoolinux.org/presen...7/iptflow.html
>
> If I am interpreting this correctly, prerouting is only applicable to
> packets that go to one of INPUT table or the FORWARD table. There appears
> to be no way to bypass this if iptables is active. The OUTPUT table is only
> used for packets that originate on the firewall itself and the flow chart
> shows that the OUTPUT table is used before POSTROUTING.
>
> Klazmon.
>

Thanks I'll have a look

--
Tayo'y Mga Pinoy