Re: iptables filtering ports under nat
Hello,
Luis Rondon Paz a écrit :
/sbin/iptables -t nat -A POSTROUTING -s 12.16.2.5 -o $EXT_IF -j MASQUERADE
how can i DROP ALL TRAFIC FROM IP 12.16.2.5 ??? exept port 80 to one
external ip ?
how can i do that ????
/sbin/iptables -t nat -A POSTROUTING -s 12.16.2.5 -d EXTERNALONEHOSTONLY
-o $EXT_IF -j ACCEPT
This does not work because both ACCEPT and MASQUERADED are terminal
target : when they match, subsequent rules are ignored. So if this rule
is before the MASQUERADE rule, then packets matching it won't be
masqueraded. And if this rule is after the MASQUERADE rule, it has just
no effect.
/sbin/iptables -t nat -A POSTROUTING -s 12.16.2.5 -d 0.0.0.0/0 -o $EXT_IF
-j DROP ???
This rule does not works either. If it is before the MASQUERADE rule, it
drops all traffic from the host. If it is after the MASQUERADE rule, it
has no effect as explained above.
OR SHOULD I NEED TO USE TO FORWARD ??
Yes, you should use the FORWARD chain in the 'filter' table. The 'nat'
table should not be used for filtering, because its chains do not see
all packets.
For example :
iptables -A FORWARD -s 12.16.2.5 -d EXTERNALONEHOSTONLY \
-p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 12.16.2.5 -j DROP
Reply to: