iptables DROP before PREROUTING

To: debian-user@lists.debian.org
Subject: iptables DROP before PREROUTING
From: Jim Popovitch <jim@k4vqc.com>
Date: Thu, 09 Jan 2020 14:46:25 -0500
Message-id: <[🔎] bd1fbb2e8acfe21972010df27d79c478ad0ee017.camel@k4vqc.com>

Hello!

Is there a way to have iptables DROP before PREROUTING.

Consider this bit of rules on a home firewall, where 24.126.xx.yy is my
home external IP address.

---------
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -s 23.132.208.0/24 -j DROP

# DNAT inbound SSH to home PC
iptables  -A FORWARD -i eth0 -d 192.168.1.10 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables  -t nat -A PREROUTING -p tcp -d 24.126.xx.yy --dport 12345 -j DNAT --to-destination 192.168.1.10
iptables  -t nat -A POSTROUTING -s 192.168.1.10 ! -d 192.168.1.0/24 -j SNAT --to 24.126.xx.yy

iptables -A INPUT -j DROP
--------

What I want to do is prevent 23.132.208.0/24 from accessing a service
(port 12345) on my home PC.  The problem is, the REROUTING rules preceed
the DROP rule, so the connections get through.  Thanks for any
suggestions/help.


-Jim P.

Reply to:

Follow-Ups:
- Re: iptables DROP before PREROUTING
  - From: Reco <recoverym4n@enotuniq.net>
- Re: iptables DROP before PREROUTING
  - From: "Alexander V. Makartsev" <avbetev@gmail.com>

Prev by Date: Re: web server for development
Next by Date: Re: iptables DROP before PREROUTING
Previous by thread: Re: Success of udev rule depends on if user has local or NIS account
Next by thread: Re: iptables DROP before PREROUTING
Index(es):
- Date
- Thread