On Mon, Dec 10, 2001 at 12:54:31PM +0000, Tim Haynes wrote: > Guido Hennecke <g.hennecke@t-online.de> writes: > > > > Sorry, I was transposing my thoughts into ipchains rules. Actually my > > > firewall is iptables based. In iptables, packets that are being > > > masqueraded traverse only the FORWARD chain and not the INPUT or OUTPUT > > > chains. Thus if the rule was: > > > iptables -A INPUT -i eth0 ! -d 192.168.0.1 -j DROP > > > this should be OK I guess. Since packets on the INPUT are destined only > > > to localhost. > > > > Pakets came from the externel interface from a ip address from this > > externel network will be masqeraded? I think the will not! > > I've got a problem with this, btw. Increasingly, I'm needing FORWARDING > rules on various sites; what I want to know is, when I've got the following > layout: > > | #Chain for incoming/forwarding filtering > | iptables -N block > | #chain to drop & log stuff > | iptables -N DLOG > | ... > | several `block' rules incl stateful allowing ESTABLISHED,RELATED > | ... > | ## Jump to that chain from INPUT and FORWARD chains. > | iptables -A INPUT -j block > | iptables -A FORWARD -j block > > how come packets still seem to get dropped when being forwarded between > interfaces? > I am not sure I have totall gotten what you are trying to do here. But, the packets will be dropped instead of being forwarded between interfaces because that is exactly what you have specified in your rules. What happens is this: 1. A packet comes in through one of your interfaces. 2. It hits the PREROUTING chain - where DNAT can occur or any tracked connections are de-SNATted or de-MASQUERADED. 3. Routing decision is made. Here is where the decision is made whether the packet is destined for localhost or to go out another interface. 4a. If the packet is destined for localhost then it traverses the INPUT chain. 4b. If the packet is for another host then it traverses the FORWARD chain. Thus what your rules will do is: Any packet not destined for localhost will traverse the FORWARD chain and will be -j (jumpped) to your block (user defined) chain. This will presumably LOG and the DROP the packets. Thus all your FORWARDED packets will be DROPPED. This is of course only if you don't have other rules in your FORWARD chain which explicitly ACCEPT the packets before they hit the FORWARD chain rule you have written above. HTH. Cheers. Mark.
Attachment:
pgp6YzYkjrDm2.pgp
Description: PGP signature