-----Original Message----- From: Anders Johansson [mailto:andjoh@rydsbo.net] Sent: Wednesday, April 28, 2004 7:14 AM
On Wednesday 28 April 2004 06.52, Christian Lange wrote:
Hello Andreas,
Well, now I did and an IPTABLES -A OUTPUT -j REJECT -d www.x.de in fw_custom_before_antispoofing()
you will need a rules like this:
iptables -A FORWARD -s IP_OF_NAT_BOX_1 -d IP_OF_DESTINATION -j DROP/REJECT iptables -A FORWARD -s IP_OF_NAT_BOX_2 -d IP_OF_DESTINATION -j DROP/REJECT
Really? I didn't think NATed packets passed through the FORWARD table. I thought that was for unmodified packets only.
nope
iptables -t nat -I PREROUTING -d DEST_IP -j DROP
would have been my guess
You guessed wrong, nat in the PREROUTING chain is for DNAT (Destination nat) only. SNAT takes place in the POSTROUTING chain. SNAT packets take their way through the FORWARD chain and can therefore be DROPed/REJECTed in the FORWARD chain. Take a look at the Kernel Packet Traveling Diagram on Stef Coene's site docum.org http://www.docum.org/stef.coene/qos/kptd/ HTH marc