Re: [suse-security] How to block some IPs with SuSEfirewall2 ?
-----Original Message----- From: Anders Johansson [mailto:andjoh@rydsbo.net] Sent: Wednesday, April 28, 2004 7:14 AM
On Wednesday 28 April 2004 06.52, Christian Lange wrote:
Hello Andreas,
Well, now I did and an IPTABLES -A OUTPUT -j REJECT -d www.x.de in fw_custom_before_antispoofing()
you will need a rules like this:
iptables -A FORWARD -s IP_OF_NAT_BOX_1 -d IP_OF_DESTINATION -j DROP/REJECT iptables -A FORWARD -s IP_OF_NAT_BOX_2 -d IP_OF_DESTINATION -j DROP/REJECT
Really? I didn't think NATed packets passed through the FORWARD table. I thought that was for unmodified packets only.
nope
iptables -t nat -I PREROUTING -d DEST_IP -j DROP
would have been my guess
You guessed wrong, nat in the PREROUTING chain is for DNAT (Destination nat) only. SNAT takes place in the POSTROUTING chain. SNAT packets take their way through the FORWARD chain and can therefore be DROPed/REJECTed in the FORWARD chain. Take a look at the Kernel Packet Traveling Diagram on Stef Coene's site docum.org http://www.docum.org/stef.coene/qos/kptd/ HTH marc
On Wednesday 28 April 2004 09.03, Marc Samendinger wrote:
iptables -t nat -I PREROUTING -d DEST_IP -j DROP
would have been my guess
You guessed wrong, nat in the PREROUTING chain is for DNAT (Destination nat) only. SNAT takes place in the POSTROUTING chain. SNAT packets take their way through the FORWARD chain and can therefore be DROPed/REJECTed in the FORWARD chain. Take a look at the Kernel Packet Traveling Diagram on Stef Coene's site docum.org http://www.docum.org/stef.coene/qos/kptd/
Thanks for that, I had no idea. That's what I get for always basing my firewalls on SuSEfirewall2 I guess, things like that are hidden unless you look carefully. But now I see that all packages run through the forward table as well Still, I didn't actually "guess wrong", the above command does work, and will catch the packet a few steps earlier in the chain, saving a little work for the kernel
participants (2)
-
Anders Johansson
-
Marc Samendinger