DNAT Question & ULOG Question

Linux Netfilter discussions
 help / color / mirror / Atom feed

* DNAT Question & ULOG Question
@ 2006-06-13 14:50 Brett Curtis
  2006-06-16 10:09 ` Martijn Lievaart
  0 siblings, 1 reply; 2+ messages in thread
From: Brett Curtis @ 2006-06-13 14:50 UTC (permalink / raw)
  To: Netfilter Lists

A couple questions before I try to push out my new firewall.

Creating a  PREROUTING rule on a DROP all policy like so.

$IPT -t nat -A PREROUTING -i $EXTIF -d $HOST_EXTIP -p tcp --dport 22 \
   -j DNAT --to-destination $HOST_INTIP:22

This allows the packets to pass through my external nic so I would  
only need a forward rule like so to complete the request?

$IPT -A FORWARD  -o $INTIF -d $HOST_INTIP -p tcp --dport 22

 From what I read the routing decision happens after PREROUTING but I  
am not sure if the request has traversed pass my external interface  
at this time.
Not sure if I need to specify both interface or in my case it would  
be the same if I specified none.

My question related to ULOG....  Is ULOG the only way to get iptables  
logging out of my dmesg ? Every time I type dmesg I find it  
overloaded with iptables logging.

Thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: DNAT Question & ULOG Question
  2006-06-13 14:50 DNAT Question & ULOG Question Brett Curtis
@ 2006-06-16 10:09 ` Martijn Lievaart
  0 siblings, 0 replies; 2+ messages in thread
From: Martijn Lievaart @ 2006-06-16 10:09 UTC (permalink / raw)
  To: Brett Curtis; +Cc: Netfilter Lists

Brett Curtis wrote:

> A couple questions before I try to push out my new firewall.
>
> Creating a  PREROUTING rule on a DROP all policy like so.


I assume you mean DROP all policy on INPUT, FORWARD and OUTPUT.

>
> $IPT -t nat -A PREROUTING -i $EXTIF -d $HOST_EXTIP -p tcp --dport 22 \
>   -j DNAT --to-destination $HOST_INTIP:22


Fine.

>
> This allows the packets to pass through my external nic so I would  
> only need a forward rule like so to complete the request?
>
> $IPT -A FORWARD  -o $INTIF -d $HOST_INTIP -p tcp --dport 22


Yes.

>
> From what I read the routing decision happens after PREROUTING but I  
> am not sure if the request has traversed pass my external interface  
> at this time.
> Not sure if I need to specify both interface or in my case it would  
> be the same if I specified none.


I'm not sure what you mean, but it is quit simple. The rule is valid. In 
the FORWARD chain, both -i and -o can be used. In this case, it is 
redundand, but it doesn't hurt either.

> My question related to ULOG....  Is ULOG the only way to get iptables  
> logging out of my dmesg ? Every time I type dmesg I find it  
> overloaded with iptables logging.
>

Yes. Although the logging infrastructure is being rewritten for 
x_tables, however, that most probably does not apply to you (you know it 
if it does).

HTH,
M4



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2006-06-16 10:09 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-06-13 14:50 DNAT Question & ULOG Question Brett Curtis
2006-06-16 10:09 ` Martijn Lievaart

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox