Re: iptables rule to block when DNAT is used
Hanasaki JiJi <hanasaki@hanaden.com> writes:
>
> Firewall has rules to DNAT incoming traffic to a port on a DMZ box.
>
> how can an iptable rule be written to block some ip addresses before
> they get to the rules
> iptables -t mangle -A FORWARD
> AND
> iptables -t nat -A PREROUTING
> ???
The "DROP" target is valid in any chain. Therefore,
iptables -t mangle -I FORWARD -s badbox.evil -j DROP
iptables -t nat -I PREROUTING -s badbox.evil -j DROP
should work.
Also note that the mangle PREROUTING chain is run on all incoming
packets before any other chain, so:
iptables -t mangle -I PREROUTING -s badbox.evil -j DROP
should drop all packets from "badbox.evil" before any other rule is
checked. Do some testing before taking my word on it, though.
--
Kevin <buhr@telus.net>
Reply to: