Re: Nat OUTPUT chain - Patrick Schaaf

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick Schaaf <bof@bof.de>
To: Antony Stone <Antony@Soft-Solutions.co.uk>
Cc: netfilter@lists.samba.org
Subject: Re: Nat OUTPUT chain
Date: Sun, 16 Jun 2002 09:43:39 +0200	[thread overview]
Message-ID: <20020616094339.A32016@oknodo.bof.de> (raw)
In-Reply-To: <200206152359.g5FNxwA32623@Networker.rockstone.co.uk>; from Antony@Soft-Solutions.co.uk on Sun, Jun 16, 2002 at 12:59:56AM +0100

Hi all,

> Why do you DROP in the nat table instead of the filter table ?

Note that there are situations where this is advisable, and other
approaches result in more complex rulesets.

Imagine a situation where you want to REDIRECT certain incoming
connections, e.g.  everything to --dport 80, with the local service
running on port 3128. However, you DON'T want to have those redirected
clients access 3128 DIRECTLY. Using REDIRECT, both the direct and
redirected connections arrive in the filter table's INPUT chain,
and cannot be easily distinguished there, because the filter table
sees the rewritten destination IP and port.

My first solution involved the mangle table, tagging the different
incoming packets with an fwmark, and using that fwmark in both the
NAT and filter tables.

My current solution does the desired REDIRECTs in the NAT table,
and DROPs everything unwanted right there; the filter table just
permits the redirected port 3128 traffic. So that's where I found
good use for DROP in the NAT table.

An alternative, not doable with stock iptables (there's something
in p-o-m, I think), would be a filter table target which is capable
of matching the ORIGINAL_DESTINATION of the REDIRECTed connections.

best regards
  Patrick

next prev parent reply	other threads:[~2002-06-16  7:43 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-06-15 23:57 Nat OUTPUT chain hard__ware
2002-06-15 23:59 ` Antony Stone
2002-06-16  7:43   ` Patrick Schaaf [this message]
  -- strict thread matches above, loose matches on Subject: below --
2002-06-16  2:30 Hard__warE
2002-06-02 13:42 gvt_lnx
2002-06-02 14:05 ` Antony Stone

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20020616094339.A32016@oknodo.bof.de \
    --to=bof@bof.de \
    --cc=Antony@Soft-Solutions.co.uk \
    --cc=netfilter@lists.samba.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.