> 1. If things coming in to the external interface are hitting
> the preroute chain, how do I filter on them? As I understand it, the
> preroute chain is before the INPUT chain? Can someone explain if I
> have a rule such as
> Iptables -t nat -A PREROUTING -I eth1 -d 209.205.xxx.xxx -j
> DNAT 192.168.0.1
>
You filter the FORWARD chain using the 192.168.0.1 IP address as
destination - INPUT/OUTPUT are only used if the 192.168.0.1 is actually
on the box running iptables
An FYI: if you need to host multiple registered IP addresses just use
Linux ip aliasing: ifconfig eth1:1 <IP address> and then DNAT them
individually...
> Where do I place the lines of code to filter these things.
> Am I filtering in the INPUT chain on the 209. addresses or what?
No
>
> 2. Can anyone give me some tips on some vulnerable ports
> that I would need to block on a windows xp machine but still
> allow for netmeeting, icq, irc, etc. to work? (specifically,
> like file sharing and all that needs to be blocked). Thanks.
>
Block 137-139 and you should be somewhat safe - that's all the NetBIOS
file sharing crapola...
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]] On Behalf Of Antony Stone
> > Sent: Monday, March 18, 2002 12:08 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Yikes. . . shouldn't this be easy--NAT in and
> > out to private IP
> >
> >
> > On Monday 18 March 2002 5:22 pm, Brian Capouch wrote:
> >
> > > I want to NAT a private IP addr, 192.168.1.2 (as if that
> > mattered) out
> > > to the world and then back in again, so that I can remotely
> > bring up
> > > an X window for a demo I have to do "outside" later in the week.
> >
> > iptables -A PREROUTING -t nat -d 111.222.333.444 -j DNAT --to
> > 192.168.1.2 iptables -A POSTROUTING -t nat -s 192.168.1.2 -j
> > SNAT --to 111.222.333.444
> >
> > The first rule changes packets coming in from the Internet
> which were
> > addressed to 111.222.333.444 and sends them to 192.168.1.2
> >
> > The second rule changes packets which come from 192.168.1.2
> > and makes them
> > look like they came from 111.222.333.444
> >
> > Don't forget the appropriate FORWARD rules to let the packets
> > through as well:
> >
> > iptables -A FORWARD -s 192.168.1.2 -j ACCEPT
> > iptables -A FORWARD -d 192.168.1.2 -j ACCEPT
> >
> > Remember that your NATing box needs to have 111.222.333.444
> > added to its
> > external interface if this address is in the same network
> > range as the NAT
> > machine's real external address.
> >
> > If it's in a different network range, then you just need to
> > have packets for
> > 111.222.333.444 routed from the previous router, to use the
> > NAT box as the
> > next hop.
> >
> > These rules will allow all packets, any protocol (TCP, UDP,
> > ICMP, ESP...) to
> > get through the Firewall, to & from ANY external address - so
> > be careful
> > about security on the "target" machine, otherwise you might
> > find it's a
> > target for more than you expected :-)
> >
> > Hope this helps,
> >
> >
> > Antony.
> >
>
>
