From: Askar Ali Khan <askarali@gmail.com>
To: netfilter <netfilter@lists.netfilter.org>
Subject: Re: droping in forward/postrouting
Date: Sat, 31 Jul 2004 17:27:13 +0500 [thread overview]
Message-ID: <a0f69e504073105276e10d9d3@mail.gmail.com> (raw)
In-Reply-To: <200407310848.28840.Antony@Soft-Solutions.co.uk>
On Sat, 31 Jul 2004 08:48:28 +0100, Antony Stone
<antony@soft-solutions.co.uk> wrote:
> On Friday 30 July 2004 7:15 am, Askar Ali Khan wrote:
>
> > hi
> > I duno but filter table "FORWARD" not blocking/dropping any of these
> > site actaully these are spywares a gift from windowz and why i want to
> > drop these dirty shits coz they consume lot of my precious bandwidth
> > "dialup" ;)
> >
> > iptables -I FORWARD -s 0/0 -d 66.35.229.0/24 -j DROP
> > iptables -I FORWARD -s 0/0 -d 212.4.208.105 -j DROP
> > iptables -I FORWARD -s 0/0 -d 66.35.229.185 -j DROP
> > iptables -I FORWARD -s 0/0 -d 64.152.73.0/24 -j DROP
> > iptables -I FORWARD -s 0/0 -d 66.35.229.236 -j DROP
> >
> > However PREROUTING do working and dropping it :)
> >
> > iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.0/24 -j DROP
> > iptables -t nat -I PREROUTING -s 0/0 -d 212.4.208.105 -j DROP
> > iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.185 -j DROP
> > iptables -t nat -I PREROUTING -s 0/0 -d 64.152.73.0/24 -j DROP
> > iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.236 -j DROP
>
> Do you have both these sets of rules in your ruleset at the same time?
No one at a time I hash (#) the appreporate rules
>
> If so, then packets which are DROPped in the PREROUTING chain will never make
> it to the FORWARD chain (because they've been DROPped), therefore the FORWARD
> rules will never see anything to DROP.
>
> Try changing both targets from DROP to LOG, and see if the packets go through
> both chains as expected.
>
> Also, of the five rules you've listed, two are pointless, as the addresses
> 66.35.229.185 and 66.35.229.236 both fall within the first /24 range
> specified and will therefore be caught by the first rule.
>
> If, on the other hand, you're saying that putting the rules above into
> PREROUTING does DROP the packets, but removing them from PREROUTING and
> putting them into FORWARD instead does not DROP the packets, then show us the
> rest of your PREROUTING ruleset, as you may be changing the destination
> address before the packets reach FORWARD?
Yeah its Drops the packets in PREROUTING, however not Dropping the
same while tries with FOWARD.
here are my PREROUTING rules (1st one is of POSTROUTING)
>
> Regards,
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -d 0/0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
######## USING filter table chain FORWARD ########### not working :D
#iptables -I FORWARD -s 0/0 -d 66.35.229.0/24 -j DROP
#iptables -I FORWARD -s 0/0 -d 212.4.208.105 -j DROP
#iptables -I FORWARD -s 0/0 -d 66.35.229.185 -j DROP
#iptables -I FORWARD -s 0/0 -d 64.152.73.0/24 -j DROP
#iptables -I FORWARD -s 0/0 -d 66.35.229.236 -j DROP
#iptables -I FORWARD -s 0/0 -d 64.157.165.181 -j DROP
#iptables -I FORWARD -s 0/0 -d 66.35.229.153 -j DROP
#iptables -I FORWARD -s 0/0 -d 64.157.165.249 -j DROP
#iptables -I FORWARD -s 0/0 -d 66.35.229.175 -j DROP
##########
######### Using PREROUTING ############## working
iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.0/24 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d 212.4.208.105 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.185 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d 64.152.73.0/24 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.236 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d 64.152.73.174 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d 64.157.165.181 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.153 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d 64.152.73.207 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d 64.157.165.249 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d 64.152.73.185 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.175 -j DROP
###############
see I hashed the FORWARD rules coz it was not Droping packets.
>
> Antony.
regards
Askar
>
> --
> I think, therefore I am.
> I'm pink, therefore I'm Spam.
> I drink, therefore I think I am.
>
> Please reply to the list;
> please don't CC me.
>
>
next prev parent reply other threads:[~2004-07-31 12:27 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-07-29 15:54 droping in forward/postrouting richardo
[not found] ` <a0f69e504072913084fc39ee8@mail.gmail.com>
2004-07-30 6:15 ` Askar Ali Khan
2004-07-31 7:48 ` Antony Stone
2004-07-31 12:27 ` Askar Ali Khan [this message]
2004-07-31 12:11 ` Alejandro Flores
-- strict thread matches above, loose matches on Subject: below --
2004-07-31 23:58 Jason Opperisano
2004-07-30 8:15 richardo
2004-07-29 10:19 Askar Ali Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a0f69e504073105276e10d9d3@mail.gmail.com \
--to=askarali@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.