On Wednesday 28 April 2004 09.03, Marc Samendinger wrote:
iptables -t nat -I PREROUTING -d DEST_IP -j DROP
would have been my guess
You guessed wrong, nat in the PREROUTING chain is for DNAT (Destination nat) only. SNAT takes place in the POSTROUTING chain. SNAT packets take their way through the FORWARD chain and can therefore be DROPed/REJECTed in the FORWARD chain. Take a look at the Kernel Packet Traveling Diagram on Stef Coene's site docum.org http://www.docum.org/stef.coene/qos/kptd/
Thanks for that, I had no idea. That's what I get for always basing my firewalls on SuSEfirewall2 I guess, things like that are hidden unless you look carefully. But now I see that all packages run through the forward table as well Still, I didn't actually "guess wrong", the above command does work, and will catch the packet a few steps earlier in the chain, saving a little work for the kernel