From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mart Frauenlob Subject: Re: iptables 1.4.x and xt_recent: my rules have fallen and they can't get up! Date: Sat, 02 May 2009 11:13:58 +0200 Message-ID: <49FC0ED6.1050102@chello.at> References: <49FBFDB7.4070204@gmail.com> Reply-To: netfilter@vger.kernel.org Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <49FBFDB7.4070204@gmail.com> Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@vger.kernel.org Weedy wrote: > So apparently this has become illegal, and neither google or me > playing around has figured out how to update it. Input is most welcome. > > + iptables -t nat -A prerouting_rule -i br-lan -p tcp --dport 80 -j > REDIRECT --to-port 3128 > + iptables -t nat -A prerouting_rule -p tcp --dport 2020 -m state > --state NEW -m recent --name ATTACKER_SSH --rsource --update --seconds > 120 --hitcount 5 -j DROP > iptables v1.4.3.2: > The "nat" table is not intended for filtering, the use of DROP is > therefore inhibited. > > Try `iptables -h' or 'iptables --help' for more information. > > This is a openwrt router running the old firewall (not supported or I > would have asked on their mailing list) I will attach it encase anyone > wants to give it a quick peek and finds anything terribly > wrong/outdated (but it does currently work fine). > > Thank you for your time. Hello, since iptables 1.4.3.2 DROP is prohibited in the nat table. It actually was never intended to be used for 'filtering'. Filtering should be done in the 'filter' table (hence the name). The nat table only 'sees' state NEW connections, hence the --state NEW is obsolete. Change your rules, to DROP / ACCEPT in the filter table. greets Mart P.S. didn't take a look at the attached ruleset...