Brett Curtis wrote:
A couple questions before I try to push out my new firewall.
Creating a PREROUTING rule on a DROP all policy like so.
I assume you mean DROP all policy on INPUT, FORWARD and OUTPUT.
$IPT -t nat -A PREROUTING -i $EXTIF -d $HOST_EXTIP -p tcp --dport 22 \
-j DNAT --to-destination $HOST_INTIP:22
Fine.
This allows the packets to pass through my external nic so I would
only need a forward rule like so to complete the request?
$IPT -A FORWARD -o $INTIF -d $HOST_INTIP -p tcp --dport 22
Yes.
From what I read the routing decision happens after PREROUTING but I
am not sure if the request has traversed pass my external interface
at this time.
Not sure if I need to specify both interface or in my case it would
be the same if I specified none.
I'm not sure what you mean, but it is quit simple. The rule is valid. In
the FORWARD chain, both -i and -o can be used. In this case, it is
redundand, but it doesn't hurt either.
My question related to ULOG.... Is ULOG the only way to get iptables
logging out of my dmesg ? Every time I type dmesg I find it
overloaded with iptables logging.
Yes. Although the logging infrastructure is being rewritten for
x_tables, however, that most probably does not apply to you (you know it
if it does).
HTH,
M4
