Notes about IPTables

Random notes about iptables, ufw and such tools in Linux.

Mandatory lines for NAT instance Link to heading

Your /etc/sysconfig/iptables should have following lines:


Logging connections that use forwarding Link to heading

If you are forwarding TCP connections from NAT instance to some instance that doesn’t have public IP, you can easily add logging into iptables. Log entries will appear in /var/log/messages.

Config in /etc/sysconfig/iptables:

-A PREROUTING -m state --state NEW -d _IP_AT_NAT_/32 -p tcp -m tcp --dport 443 -j LOG --log-prefix " [>] New 443 Forward "
-A PREROUTING -d _IP_AT_NAT_/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination _IP_AT_DESTINATION_:443

Lines in /var/log/messages:

TIMESTAMP HOSTNAME kernel: […] [>] New 443 Forward IN=eth0 OUT= MAC=MAC_ADDRESS SRC=PUBLIC_IP DST=IP_AT_NAT LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=8304 DF PROTO=TCP SPT=38660 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0