[Firewall] logging with NAT_TCP_FORWARD

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Thu Mar 18 18:08:36 CET 2010


This indeed does not work since the traffic is NAT-ed and never hits the 
INPUT chain. You could use a custom rule to implement it like this:

iptables -A PREROUTING -m state --state NEW -p tcp --dport 5901 -m limit 
--limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix 
"PREROUTING_LOG: "

a.

Andy Brown wrote:
> Hi All,
> 
> Have had a dig through a couple of times and can't see the immediate 
> answer to this. I'd like each connection made to valid NAT_TCP_FORWARD 
> entries to be logged for auditing purposes.
> 
> I've setup the forwarding in NAT_TCP_FORWARD
> and then put into LOG_TCP_INPUT the ports I'm doing the NAT_TCP_FORWARD 
> but it didn't log. Is there a simple way to enable this please?
> NAT_TCP_FORWARD="5901>192.168.2.194"
> LOG_TCP_INPUT="5901"
> 
> Thanks in advance.
> 

-- 
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl


More information about the Firewall mailing list