Re: port forwarding issues
On 07/01/2003 09:32:48 Bas Zoetekouw wrote:
>> Hi Peter!
>>
>> You wrote:
>>
>> > i'm about to set up port forwarding on a firewall to be able to reach
>> > some hosts on the lan from the outside. i wish to use iptables
prerouting
>> > rules. my question is, is there a way to detect the port forwarding,
>> > and/or get info about the host i forward to (ip address mainly) ?
>> > supposing that the service i reach is free of bugs. as of my
understanding
>> > of prerouting, this is not likely.
>>
>> Do you mean something like a log of forwarded connections? That can
>> simply be accomplished with the LOG target of iptables.
>>
>> PS: debian-security is not meant for discussing securing your firewall,
>> but rather for reporting security vulnerabilities in Debian
packages.
>> The debian-user mailing list is more appropraite for this kind of
>> questions.
I would recommend debian-firewall as there is intense discussion there of
iptables.
Also look at this:
http://lists.debian.org/debian-firewall/2003/debian-firewall-200301/msg00030.html
Specifically, as Jason McCarty says:
"If you did have them, they would go in INPUT. However, you already log
and drop them. However, a real concern is that someone could easily fill
up your logs with junk packets. You can prevent this by putting a limit
match (-m limit --limit 2/min for example) in your LOG lines. The
problem with that is that you might miss some important packets since the
few that are getting logged are unimportant. I don't really know a solution
to this conundrum. I just log at 3/min."
Reply to: