On Monday 04 November 2002 8:46 pm, Carlos FaĿanha wrote:

  

I have a Linux box used as NAT server and firewall. All
requests on its port 80 are forwarded to a local webserver
inside my network. I want to block access to all services
including http from a specific external host.

I'm using the following rule to block the host

iptables -A INPUT -i $extint -s $hostip -j DROP

and this one to do the NAT

iptables -t nat -A PREROUTING -p tcp --dport 80 -d $extip -j
DNAT --to $webserverip:80

The problem is that the host is blocked from accessing all
services but http. I've already checked if there are any
rules before that ACCEPT the request. It seems that prerouted
packets are bypassing the INPUT chain.

Is it correct? If not, what am I doing wrong?
    

It is correct that routed packets bypass the INPUT chain.   Only packets 
destined for the firewall machien go through INPUT - packets which are going 
somewhere else go through FORWARD.

Therefore put your blocking rule in the FORWARD chain instead and it should 
do what you want.

Antony.