travelling the tables and chains...

travelling the tables and chains...

[Guido Lorenzutti]

Hi people, i would like to clean up my firewall script by creating new 
chains in the filter table. Like this:

iptables -N FORWARD_WAN_TO_LAN

Then, call the traffic in the FORWARD chain:

iptables -A FORWARD -i $WAN -o $LAN -j FORWARD_WAN_TO_LAN

Now how can i discriminate the DNATed packets from that rule? It's OK if 
i MARK them in the PREROUTING chain and create a rule BEFORE in the 
FORWARD chain to check if the packet im MARKed then -j DNATED_WAN_TO_LAN?

Any better ideas?

Re: travelling the tables and chains...

[Grant Taylor]

If I understand you correctly, you are wanting traffic that is not DNATed to pass through your FORWARD_WAN_TO_LAN chain?  If that is the case you should try something like this:

iptables -A FORWARD -i $WAN -o $LAN -m state --state INVALID,NEW,UNTRACKED -j FORWARD_WAN_TO_LAN
iptables -A FORWARD -i $WAN -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

This should cause all traffic (if I understand correctly) that is not recognized by DNAT... (as I type this I'm thinking SNAT, but DNAT *may* behave the same way too) ...to be send to the FORWARD_WAN_TO_LAN and any traffic that is recognized by DNAT to be plainly ACCEPTED.

Does any one else have any comments on this?



Grant. . . .

Guido Lorenzutti wrote:
> Hi people, i would like to clean up my firewall script by creating new 
> chains in the filter table. Like this:
> 
> iptables -N FORWARD_WAN_TO_LAN
> 
> Then, call the traffic in the FORWARD chain:
> 
> iptables -A FORWARD -i $WAN -o $LAN -j FORWARD_WAN_TO_LAN
> 
> Now how can i discriminate the DNATed packets from that rule? It's OK if 
> i MARK them in the PREROUTING chain and create a rule BEFORE in the 
> FORWARD chain to check if the packet im MARKed then -j DNATED_WAN_TO_LAN?
> 
> Any better ideas?
> 

Re: travelling the tables and chains...

[Jason Opperisano]

On Sun, Apr 03, 2005 at 11:25:42PM -0300, Guido Lorenzutti wrote:
> Hi people, i would like to clean up my firewall script by creating new 
> chains in the filter table. Like this:
> 
> iptables -N FORWARD_WAN_TO_LAN
> 
> Then, call the traffic in the FORWARD chain:
> 
> iptables -A FORWARD -i $WAN -o $LAN -j FORWARD_WAN_TO_LAN
> 
> Now how can i discriminate the DNATed packets from that rule? It's OK if 
> i MARK them in the PREROUTING chain and create a rule BEFORE in the 
> FORWARD chain to check if the packet im MARKed then -j DNATED_WAN_TO_LAN?
> 
> Any better ideas?

MARK-ing is a pretty decent general-purpose way of keeping track of
where a packet has been.  in your case--if you need to find all DNAT-ed
packets, you could use the more specialized:

  "-m conntrack --ctstate DNAT"

to match a DNAT-ed packet.

-- 
"Baby needs to suck ash. Baby needs to suck ash. Not ass, you pervert. 
 Save it for the interns."
	--Family Guy