The PREROUTING or the INPUT (iptables)
Hi all,
I am asking 2 questions in this and apologies if this is a bit too much
in a single mail.
Q1)
I came to understand that the first rule to take the hit is the
PREROUTING nat table (after the mangle). So in case I want to do a DNAT of
input packets to one of the interfaces in another machine on the same
network as the router, then, I can apply a DNAT rule in the PREROUTING.
But if I want to also select that the packet must be DNAT'ed only if
the input is from a specific ip address, then applying the DROP rule for
'anything other-than' type of packets is not effective in the INPUT chain
since the packet traverses the routing decision and goes into the FORWARD
chain and goes outgress...
So out of many experts here, I just wanted to take an advice on where to
keep the DROP/REJECT firewall rules ? Is it in the PREROUGING or the
INPUT? If I keep it at INPUT then the packets which needs to be DNAT'ed
will traverse bypassing the INPUT rule.
also,
Q2)
I was guessing from the man pages of iptables that I can give multiple
source ip addresses in a single stretch by seperating them with a ',' . I
couldnt apparently do it, and below is the command line I used. Could
someone point me on what is the mistake I am doing please ?
iptables -A INPUT ! -s 1.1.1.1,1.1.1.2 -j ACCEPT
This command is trying to resolve 1.1.1.1,1.1.1.2 ignoring the ',' in the
ip addresses taking this as a complete name.
-----------------------------------
root@mac1:/# iptables -A INPUT ! -s 1.1.1.1,1.1.1.2 -j ACCEPT
iptables v1.4.2: host/network `1.1.1.1,1.1.1.2' not found
Try `iptables -h' or 'iptables --help' for more information.
-----------------------------------
Reply to: