Re: iptables 1.4.x and xt_recent: my rules have fallen and they can't get up!

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mart Frauenlob <mart.frauenlob@chello.at>
To: netfilter@vger.kernel.org
Subject: Re: iptables 1.4.x and xt_recent: my rules have fallen and they can't get up!
Date: Wed, 06 May 2009 19:07:41 +0200	[thread overview]
Message-ID: <4A01C3DD.1000900@chello.at> (raw)
In-Reply-To: <49FC0ED6.1050102@chello.at>

Mart Frauenlob wrote:
> Weedy wrote:
>> So apparently this has become illegal, and neither google or me 
>> playing around has figured out how to update it. Input is most welcome.
>>
>> + iptables -t nat -A prerouting_rule -i br-lan -p tcp --dport 80 -j 
>> REDIRECT --to-port 3128
>> + iptables -t nat -A prerouting_rule -p tcp --dport 2020 -m state 
>> --state NEW -m recent --name ATTACKER_SSH --rsource --update 
>> --seconds 120 --hitcount 5 -j DROP
>> iptables v1.4.3.2:
>> The "nat" table is not intended for filtering, the use of DROP is 
>> therefore inhibited.
>>
>> Try `iptables -h' or 'iptables --help' for more information.
>>
>> This is a openwrt router running the old firewall (not supported or I 
>> would have asked on their mailing list) I will attach it encase 
>> anyone wants to give it a quick peek and finds anything terribly 
>> wrong/outdated (but it does currently work fine).
>>
>> Thank you for your time.
> Hello,
>
> since iptables 1.4.3.2 DROP is prohibited in the nat table.
> It actually was never intended to be used for 'filtering'. Filtering 
> should be done in the 'filter' table (hence the name).
> The nat table only 'sees' state NEW connections, hence the --state NEW 
> is obsolete.
> Change your rules, to DROP / ACCEPT in the filter table.
>
> greets
>
> Mart
>
> P.S. didn't take a look at the attached ruleset...

next prev parent reply	other threads:[~2009-05-06 17:07 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-05-02  8:00 iptables 1.4.x and xt_recent: my rules have fallen and they can't get up! Weedy
2009-05-02  9:13 ` Mart Frauenlob
2009-05-06 17:07   ` Mart Frauenlob [this message]
2009-05-05 19:00 ` Weedy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4A01C3DD.1000900@chello.at \
    --to=mart.frauenlob@chello.at \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.