From: Claus Regelmann <claus.regelmann@inka.de>
To: Daniel Chemko <dchemko@smgtec.com>
Cc: netfilter@lists.netfilter.org, blueflux@koffein.net
Subject: Re: Filter in POSTROUTING
Date: Fri, 12 Sep 2003 00:35:10 +0200 [thread overview]
Message-ID: <3F60F89E.7D439592@inka.de> (raw)
In-Reply-To: 7C9884991ADAE0479C14F10C858BCDF5122E2E@alderaan.smgtec.com
Hello Daniel,
for me this is not a question of style, but a question of functionallity
-- will filtering work correctly in the PRE/POST-ROUTING chain.
Nevertheless thanks for your prompt answer.
Claus
-------------------------------------------------------------
Daniel Chemko wrote:
>
> It is against style to do anything like that in the NAT table. It is
> preferable to do it in the filter table, but if you must be lazy about
> it all, please use the mangle table instead, which does have a valid
> reason to filter certain traffic at times.
>
> The -I is to make sure no matching rules get called before we check that
> we want these packets at all. If you do the ordering yourself, then just
> make sure they are all ordered properly.
>
> iptables -t mangle -I POSTROUTING -o ppp0 -p tcp --dport 137:139 -j DROP
> iptables -t mangle -I POSTROUTING -o ppp0 -p udp --dport 137:139 -j DROP
> iptables -t mangle -I PREROUTING -i ppp0 -p tcp --dport 137:139 -j DROP
> iptables -t mangle -I PREROUTING -i ppp0 -p udp --dport 137:139 -j DROP
>
> -----Original Message-----
> From: Claus Regelmann [mailto:claus.regelmann@inka.de]
> Sent: Thursday, September 11, 2003 2:03 PM
> To: netfilter@lists.netfilter.org; blueflux@koffein.net
> Subject: Filter in POSTROUTING
>
> Hello,
>
> There is a figure Oskar Andreassoons IPTABLES TUTORIAL (V1.1.19, chap.
> 3.1, pg.19)
> where both, the forwarded and the local output, join the postrouting
> chain.
>
> Why shoudnt it be possible to filter all outgoing e.g. smb traffic from
> a local
> network at that place with a command like
> >iptables -t nat -A POSTROUTING -o ppp0 -p tcp --dport 137:139 -j DROP
> >iptables -t nat -A POSTROUTING -o ppp0 -p udp --dport 137:139 -j DROP
> \x1a
> The same question applies to the PREROUTING chain for input
> >iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 137:139 -j DROP
> >iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 137:139 -j DROP
>
> Thanks
> Claus
next prev parent reply other threads:[~2003-09-11 22:35 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-11 21:40 Filter in POSTROUTING Daniel Chemko
2003-09-11 22:35 ` Claus Regelmann [this message]
2003-09-12 8:41 ` Oskar Andreasson
-- strict thread matches above, loose matches on Subject: below --
2003-09-11 21:03 Claus Regelmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F60F89E.7D439592@inka.de \
--to=claus.regelmann@inka.de \
--cc=blueflux@koffein.net \
--cc=dchemko@smgtec.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.