Once again I am working on my firewall using iptables
I have studied Robert Spotswood firewall script.

It logs packets with (at the end of the script):
/sbin/iptables -t nat -A PREROUTING \
    -j LOG --log-level info \
    --log-prefix "PreNat logging:"
/sbin/iptables -t nat -A POSTROUTING \
    -j LOG --log-level info \
    --log-prefix "PostNat logging:"
/sbin/iptables -t nat -A OUTPUT \
    -j LOG --log-level info \
    --log-prefix "Out NAT logging:"

That makes SSH log an entry into the log file as
( / line break insertedby me here):
May  1 08:59:23 server kernel: PreNat logging:IN=eth1 \
OUT=MAC=00:a0:c9:59:b4:02:00:07:95:40:e3:85:08:00 \
SRC= LEN=60 TOS=0x00 \
PREC=0x00 TTL=64 ID=43347 DF PROTO=TCP SPT=43344 \
DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

I placed the following (to get rid of the log entry):
/sbin/iptables-t nat -A PREROUTING -i eth1 -p udp \
    -s --sport 32768:61001 \
     --dport 22 \
     -j ACCEPT

My questions are:

Is that proper?

If the packet is accepted in the nat table does it still travel to the
INPUT, OUTPUT and FORWARD filters or are they bypassed?

Should you use nat PREROUTING to filter packets?

1. Your log entry states PROTO=TCP (which is what takes
place for ssh connections) but you use -p udp.  This won't work.

2. According to the log entry, you don't perform any kind
of forwarding thus you don't need NAT at all.  I guess

iptables -A INPUT -i eth1 -s \
 -p tcp --sport 32768:61001 --dport 22 -m state \

will do the work. Notice though that this rule won't
work either for windoops clients or Linux boxes with
less than 128Mb RAM.



See this flowchart:


If I am interpreting this correctly, prerouting is only applicable to
packets that go to one of INPUT table or the FORWARD table. There appears
to be no way to bypass this if iptables is active. The OUTPUT table is only
used for packets that originate on the firewall itself and the flow chart
shows that the OUTPUT table is used before POSTROUTING.


On Tue, 03 May 2005 12:04:59 +1200, Llanzlan Klazmon wrote:

Thanks I'll have a look

