From: Jan Humme <jan.humme@xs4all.nl>
To: Antony Stone <Antony@Soft-Solutions.co.uk>, netfilter@lists.samba.org
Subject: Re: Re: unexpected problem with DNAT
Date: Wed, 10 Jul 2002 17:49:42 +0200 [thread overview]
Message-ID: <02071017494208.04513@Lms> (raw)
In-Reply-To: <200207101443.g6AEhf812770@vulcan.rissington.net>
On Wednesday 10 July 2002 16:43, Antony Stone wrote:
> On Wednesday 10 July 2002 3:26 pm, Jan Humme wrote:
> > On Wednesday 10 July 2002 16:03, thingstocome@gmx.net wrote:
> > > > I believe it can only be fixed in the filter module somehow, as all
> > > > packets
> > > > travel through the filter module. You may insert a rule to the
> > > > FORWARD chain,
> > > > to block the FTP-traffic from this IP-address; this should take
> > > > immediate effect.
> > > >
> > > > Jan Humme.
> > >
> > > thx for your reply.
> > >
> > > hmm if i would attempt to block the packets of the ftp session inside
> > > the FORWARD chain,
> > > the destination address would already have changed to an address of
> > > LAN_1 ( because of prerouting).
> > >
> > > I think i can't block these packets in the FORWARD chain by checking
> > > their destination address because as you might remember, SNAT (
> > > masquerading) is also used by LAN_1_ADDR,
> > > so some packets of the masquerading sessions do also have destination
> > > address LAN_1_ADDR when they pass the forward chain ( because NAT is
> > > bidirectional), so they would be blocked as well.
>
> The mangle table might be your answer.
>
> Two suggestions:
>
> 1. Create a rule in the PREROUTING mangle table (which is processed before
> the nat table, so you can see the original source addesses) and MARK the
> packets which you want to block, and then out a rule in the FORWARD chain
> to DROP the MARKed packets.
>
> That's the 'proper' way to do it - mangle the packets in the mangle table
> and drop them in the filter table, however the quicker, dirtier but more
> efficient way to do it is:
>
> 2. Create a rule in the PREROUTING mangle table (which is processed before
> the nat table, so you can see the original source addresses) and DROP the
> packets you want to stop.
I don't get it: the source original addresses are only SNATted *after* the
FORWARD chain has already been filtered, there is no need to (ab)use the
mangle chain for this purpose? Or am I misunderstanding something?
So he can directly create one rule in FORWARD chain to drop the packets; but
his problem seems to be that he doesn't know which IP-addresses he wants to
block.
Jan Humme.
next prev parent reply other threads:[~2002-07-10 15:49 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-07-10 12:18 unexpected problem with DNAT thingstocome
2002-07-10 12:50 ` Jan Humme
2002-07-10 14:03 ` thingstocome
2002-07-10 14:26 ` Jan Humme
2002-07-10 14:43 ` Antony Stone
2002-07-10 15:49 ` Jan Humme [this message]
2002-07-10 15:55 ` Antony Stone
2002-07-10 16:53 ` Jan Humme
2002-07-10 17:42 ` Antony Stone
2002-07-10 18:15 ` Jan Humme
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=02071017494208.04513@Lms \
--to=jan.humme@xs4all.nl \
--cc=Antony@Soft-Solutions.co.uk \
--cc=netfilter@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.