Re: iptables rule to block when DNAT is used

To: Hanasaki JiJi <hanasaki@hanaden.com>
Cc: List - Debian Security <debian-security@lists.debian.org>
Subject: Re: iptables rule to block when DNAT is used
From: Kevin Buhr <buhr@telus.net>
Date: 08 Apr 2003 15:17:18 -0700
Message-id: <[🔎] 87he98bpn5.fsf@saurus.asaurus.invalid>
In-reply-to: <[🔎] 3E92201E.40303@hanaden.com>
References: <[🔎] 3E92201E.40303@hanaden.com>

Hanasaki JiJi <hanasaki@hanaden.com> writes:
>
> Firewall has rules to DNAT incoming traffic to a port on a DMZ box.
> 
> how can an iptable rule be written to block some ip addresses before
> they get to the rules
> 	iptables -t mangle -A FORWARD
> 		AND
> 	iptables -t nat -A PREROUTING
> ???

The "DROP" target is valid in any chain.  Therefore,

        iptables -t mangle -I FORWARD -s badbox.evil -j DROP
        iptables -t nat -I PREROUTING -s badbox.evil -j DROP

should work.

Also note that the mangle PREROUTING chain is run on all incoming
packets before any other chain, so:

        iptables -t mangle -I PREROUTING -s badbox.evil -j DROP

should drop all packets from "badbox.evil" before any other rule is
checked.  Do some testing before taking my word on it, though.

-- 
Kevin <buhr@telus.net>

Reply to:

Follow-Ups:
- Re: iptables rule to block when DNAT is used
  - From: Phillip Hofmeister <plhofmei@zionlth.org>

References:
- iptables rule to block when DNAT is used
  - From: Hanasaki JiJi <hanasaki@hanaden.com>

Prev by Date: Re: zeus sshd[1600]: refused connect from <DUDE USE A SUBJECT>
Next by Date: Re: Apache: How to prevent from accessing webdav through http?
Previous by thread: Re: iptables rule to block when DNAT is used
Next by thread: Re: iptables rule to block when DNAT is used
Index(es):
- Date
- Thread