Re: iptables rule to drop from sources that are -nat postrouting from the outside to inside
On Fri, 30 May 2003, Kristof Goossens wrote:
> On Thu, May 29, 2003 at 11:19:24PM -0500, Hanasaki JiJi wrote:
> > I have a nat postrouting rule that passes traffice from the outside
> > world to an internal host to handle port 80 (webserver)
> >
> > there are also rules to drop certain source addresses yet these
> > addresses are still coming through
>
> This is because iptables sees the natted addresses...
>
> > how can they be dropped?
>
> not sure, but I think that it'll work when you specify the outside
> interface... For example: if you want to drop the http requests from
> w.x.y.z then your rule should look like:
>
> iptables -A FORWARD -i <your external interface> -s w.x.y.z -p tcp --dport 80 -j DROP
>
Hemmmm ... could it be that the "pass to web server" rule come before the
"drop that address" one?
As far as I know rules are considered in order, the first that match is
applied no matter if there are some more rules that could match.
Ciao
Marco
Reply to: