* nat table
@ 2002-09-07 16:56 Guillaume
2002-09-07 19:06 ` Antony Stone
0 siblings, 1 reply; 2+ messages in thread
From: Guillaume @ 2002-09-07 16:56 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 936 bytes --]
I have a windows PC behind a linux gateway with iptables. Whit it, the default policy for all is DROP, but the two line "mangle" are ACCEPT.
All work well to go on internet, send/received email,etc...
But there is one thing wich don't want to work, and i don't understand at all what is wrong. I have a small daemon who is listening on my network card eth0 on LAN side at port 3000, and I can't connect on it from my windows browser.
But, when I put policy for nat table "POSTROUTING, OUTPUT" to ACCEPT, it's work! I am able to connect on my daemon.
I don't understand because I have between other the folowing rules:
iptables -t nat -A PREROUTING -i eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j ACCEPT
iptables -t nat -A OUTPUT -o eth0 -j ACCEPT
Why when i put default policy of nat table to DROP, i can't connect? even with this rules?
What i have to do against?
Thanks.
Guillaume.
[-- Attachment #2: Type: text/html, Size: 2060 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: nat table
2002-09-07 16:56 nat table Guillaume
@ 2002-09-07 19:06 ` Antony Stone
0 siblings, 0 replies; 2+ messages in thread
From: Antony Stone @ 2002-09-07 19:06 UTC (permalink / raw)
To: netfilter
On Saturday 07 September 2002 5:56 pm, Guillaume wrote:
> I have a windows PC behind a linux gateway with iptables. Whit it, the
> default policy for all is DROP, but the two line "mangle" are ACCEPT.
> .....But, when I put policy for nat table "POSTROUTING, OUTPUT"
> to ACCEPT, it's work!
It is *strongly* recommended that you do not change the default policy for
either the nat or mangle tables from the standard ACCEPT.
There are two reasons for this:
1. It will cause a lot of things not to work properly.
2. The nat and mangle tables are for natting and mangling, not for filtering,
therefore you should not apply a filtering policy to them.
> Why when i put default policy of nat table to DROP, i can't connect? even
> with this rules? What i have to do against?
If you DROP packets in the nat table, they will not be able to go through
your Firewall, even if you allow them in the FORWARD chain of your filter
table.
All packets entering your firewall go through the PREROUTING chain (nat and
mangle tables) before entering either the INPUT or FORWARD chain (filter
table).
All packets going out of your firewall go through either the FORWARD or
OUTPUT chain (filter table) and then the POSTROUTING table (nat and mangle
tables).
If you block them at any one of these points they will not get to their
destination.
Antony.
--
Never write it in Perl if you can do it in Awk.
Never do it in Awk if sed can handle it.
Never use sed when tr can do the job.
Never invoke tr when cat is sufficient.
Avoid using cat whenever possible.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2002-09-07 19:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-09-07 16:56 nat table Guillaume
2002-09-07 19:06 ` Antony Stone
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.