[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables DROP before PREROUTING

On 10.01.2020 00:46, Jim Popovitch wrote:
Hello!

Is there a way to have iptables DROP before PREROUTING.

Consider this bit of rules on a home firewall, where 24.126.xx.yy is my
home external IP address.

---------
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -s 23.132.208.0/24 -j DROP

# DNAT inbound SSH to home PC
iptables  -A FORWARD -i eth0 -d 192.168.1.10 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables  -t nat -A PREROUTING -p tcp -d 24.126.xx.yy --dport 12345 -j DNAT --to-destination 192.168.1.10
iptables  -t nat -A POSTROUTING -s 192.168.1.10 ! -d 192.168.1.0/24 -j SNAT --to 24.126.xx.yy

iptables -A INPUT -j DROP
--------

What I want to do is prevent 23.132.208.0/24 from accessing a service
(port 12345) on my home PC.  The problem is, the REROUTING rules preceed
the DROP rule, so the connections get through.  Thanks for any
suggestions/help.


-Jim P.
I recommend you to look at this article. [1] It provides pretty good explanations and complete iptables flow chart.
It will help you to understand how iptables work internally, so you will have better understanding of where to place your rules and what those rules should be.

The answer to your question, I believe, should look like this:
"iptables -I FORWARD -s 23.132.208.0/24 -j DROP"
This rule will be placed at first line in Forward chain of Filter table and will Drop all traffic that comes from 23.132.208.0/24 subnet, after it leaves Prerouting chain of Nat table.


[1] https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TRAVERSINGOFTABLES

-- 
With kindest regards, Alexander.

⢀⣴⠾⠻⢶⣦⠀ 
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀⠀⠀⠀
Reply to: