Re: iptables filtering ports under nat

To: debian-firewall@lists.debian.org
Subject: Re: iptables filtering ports under nat
From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Date: Fri, 17 Oct 2008 10:58:14 +0200
Message-id: <[🔎] 48F853A6.907@plouf.fr.eu.org>
In-reply-to: <[🔎] 2347.172.16.2.132.1224185257.squirrel@172.16.2.13>
References: <[🔎] 2347.172.16.2.132.1224185257.squirrel@172.16.2.13>

Hello,

Luis Rondon Paz a écrit :


/sbin/iptables -t nat -A POSTROUTING -s 12.16.2.5 -o $EXT_IF -j MASQUERADE

how can i DROP ALL TRAFIC FROM IP 12.16.2.5 ??? exept port 80 to one
external ip ?

how can i do that ????

/sbin/iptables -t nat -A POSTROUTING -s 12.16.2.5 -d EXTERNALONEHOSTONLY
-o $EXT_IF -j  ACCEPT

This does not work because both ACCEPT and MASQUERADED are terminaltarget : when they match, subsequent rules are ignored. So if this ruleis before the MASQUERADE rule, then packets matching it won't bemasqueraded. And if this rule is after the MASQUERADE rule, it has justno effect.

/sbin/iptables -t nat -A POSTROUTING -s 12.16.2.5 -d 0.0.0.0/0 -o $EXT_IF
-j  DROP ???

This rule does not works either. If it is before the MASQUERADE rule, itdrops all traffic from the host. If it is after the MASQUERADE rule, ithas no effect as explained above.

OR SHOULD I NEED TO USE TO FORWARD ??

Yes, you should use the FORWARD chain in the 'filter' table. The 'nat'table should not be used for filtering, because its chains do not seeall packets.


For example :
iptables -A FORWARD -s 12.16.2.5 -d EXTERNALONEHOSTONLY \
  -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 12.16.2.5 -j DROP

Reply to:

References:
- iptables filtering ports under nat
  - From: "Luis Rondon Paz" <luis@azunet.minaz.cu>

Prev by Date: blocking brute force attempts using iptables
Next by Date: Re: blocking brute force attempts using iptables
Previous by thread: Re: iptables filtering ports under nat
Next by thread: blocking brute force attempts using iptables
Index(es):
- Date
- Thread