Re: The PREROUTING or the INPUT (iptables)

To: debian-user@lists.debian.org
Subject: Re: The PREROUTING or the INPUT (iptables)
From: Steven <redalert.commander@gmail.com>
Date: Sun, 13 Feb 2011 00:52:52 +0100
Message-id: <[🔎] 1297554772.6502.21.camel@pc-steven.LAN>
In-reply-to: <[🔎] alpine.DEB.1.10.1102122228160.12308@server.uk.unixindia.com>
References: <[🔎] alpine.DEB.1.10.1102122228160.12308@server.uk.unixindia.com>

Hi

On Sat, 2011-02-12 at 22:39 +0000, Bhasker C V wrote: 
> Hi all,
> 
>   I am asking 2 questions in this and apologies if this is a bit too much 
> in a single mail.
> 
> Q1)
>   I came to understand that the first rule to take the hit is the 
> PREROUTING nat table (after the mangle). So in case I want to do a DNAT of 
> input packets to one of the interfaces in another machine on the same 
> network as the router, then, I can apply a DNAT rule in the PREROUTING. 
> But if I want to also select that the packet must be DNAT'ed only if
> the input is from a specific ip address, then applying the DROP rule for 
> 'anything other-than' type of packets is not effective in the INPUT chain 
> since the packet traverses the routing decision and goes into the FORWARD 
> chain and goes outgress...
> 
> So out of many experts here, I just wanted to take an advice on where to 
> keep the DROP/REJECT firewall rules ? Is it in the PREROUGING or the 
> INPUT? If I keep it at INPUT then the packets which needs to be DNAT'ed 
> will traverse bypassing the INPUT rule.

What I do is use the PREROUTING table to set up the general forwarding,
and use the FORWARDING and INPUT tables to actually allow or block
traffic. A rule for PREROUTING could be this:
iptables -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP -m multiport
--destination-port 20,21,22,80 -j DNAT --to-destination $WEBSERVER

In this case forwarding ftp, ssh and http ports.
The forwarding and input tables should be used to block unwanted traffic
(or allow wanted traffic).

iptables -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
allows everything from outside to be forwarded to the internal lan in
this case.

An advice is to limit the rules to the smallest possible match, not
allowing anything to slip by that was unintended.

> 
> also,
> 
> Q2)
>   I was guessing from the man pages of iptables that I can give multiple 
> source ip addresses in a single stretch by seperating them with a ',' . I 
> couldnt apparently do it, and  below is the command line I used. Could 
> someone point me on what is the mistake I am doing please ?
> 
> iptables -A INPUT ! -s 1.1.1.1,1.1.1.2 -j ACCEPT
> 
> This command is trying to resolve 1.1.1.1,1.1.1.2 ignoring the ',' in the 
> ip addresses taking this as a complete name.

Perhaps you are looking for the iprange module?
iptables -m iprange --src-range 192.168.1.1-192.168.1.254 -j ACCEPT
That allows you to specify a range of ip's.

Using the -s argument for source ip's, you can only give a single
address, however, it is possible to define a complete subnet like this:
iptables -s 192.168.1.0/24 -j ACCEPT
In other cases you'd need 2 separate rules.

> 
> -----------------------------------
> root@mac1:/# iptables -A INPUT ! -s 1.1.1.1,1.1.1.2 -j ACCEPT
> iptables v1.4.2: host/network `1.1.1.1,1.1.1.2' not found
> Try `iptables -h' or 'iptables --help' for more information.
> -----------------------------------
> 
> 

Kind regards,
Steven

Reply to:

Follow-Ups:
- Re: The PREROUTING or the INPUT (iptables)
  - From: Bhasker C V <bhasker@unixindia.com>

References:
- The PREROUTING or the INPUT (iptables)
  - From: Bhasker C V <bhasker@unixindia.com>

Prev by Date: Re: Apt Crippled
Next by Date: Re: The PREROUTING or the INPUT (iptables)
Previous by thread: Re: The PREROUTING or the INPUT (iptables)
Next by thread: Re: The PREROUTING or the INPUT (iptables)
Index(es):
- Date
- Thread