Re: droping in forward/postrouting

Re: droping in forward/postrouting

[richardo]

hi Askar,

This is a filtering rule, and so, in my opinion, this should be in the
filter table, ie FORWARD.

Regards,
Richard.

Richard Oatridge
Head of IT, Start-global Ltd
http://www.start-global.com
tel :  +44 1564 779297
email : richardo@start-global.com


|--------+----------------------------------->
|        |          Askar Ali Khan           |
|        |          <askarali@gmail.com>     |
|        |          Sent by:                 |
|        |          netfilter-admin@lists.net|
|        |          filter.org               |
|        |                                   |
|        |                                   |
|        |          29/07/2004 11:19         |
|        |                                   |
|--------+----------------------------------->
  >-------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                         |
  |       To:     netfilter <netfilter@lists.netfilter.org>                                                                 |
  |       cc:                                                                                                               |
  |       Subject:     droping in forward/postrouting                                                                       |
  >-------------------------------------------------------------------------------------------------------------------------|




hi all

Im afraid i am again with a very simple/stupid question :), even
though things not clear to me yet.

im droping/blocking certain sites mainly gator sites on my
router/firewall to LAN users, using slackware kernel 2.4.26.

im doing this with the below rule
$iptables -t nat -A POSTROUTING -s 0/0 -d  212.4.208.105 -j DROP
   This is working fine, however im kinda confuse whether this is the
proper table/chain for accomplished this or may I do it with FORWARD
chain like ...

  $iptables -A FORWARD -s 0/0 -d 212.4.208.105 -p tcp -j DROP

which approach is recommended ?
1)nat/POSTROUTING
OR
2) FORWARD

thanks in advance

regards
Askar

Re: droping in forward/postrouting

[Askar Ali Khan]

hi
I duno but filter table "FORWARD" not blocking/dropping any of these
site actaully these are spywares a gift from windowz and why i want to
drop these dirty shits coz they consume lot of my precious bandwidth
"dialup" ;)

iptables -I FORWARD -s 0/0 -d 66.35.229.0/24 -j DROP
iptables -I FORWARD -s 0/0 -d  212.4.208.105 -j DROP
iptables -I FORWARD -s 0/0 -d 66.35.229.185 -j DROP
iptables -I FORWARD -s 0/0 -d  64.152.73.0/24 -j DROP
iptables -I FORWARD -s 0/0 -d  66.35.229.236 -j DROP

However PREROUTING do working and dropping it :)

iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.0/24 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d  212.4.208.105 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.185 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d  64.152.73.0/24 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d  66.35.229.236 -j DROP

Therefore my confusion still exists, as rule is that to filter in
fiter table and other things NATting , mangling in nat and mangle
table respectively.

Then why FOWARD not blocking these sites and nat PREROUTING does?

Im in learning stages of netfilter thing, and I will greatly
appreciate if someone clear this to me :)

regards
Askar

On Fri, 30 Jul 2004 02:08:46 +0600, Askar Ali Khan <askarali@gmail.com> wrote:
> Hi Richard
> 
> Thanks for the reply :) yeah now its clear to me filtering rules must
> go into filter table and other such NATting or mangling in NAT and
> Mangle table respectively.
> 
> Regards
> Askar
> 
> 
> 
> On Thu, 29 Jul 2004 16:54:47 +0100, richardo@start-global.com
> <richardo@start-global.com> wrote:
> >
> > hi Askar,
> >
> > This is a filtering rule, and so, in my opinion, this should be in the
> > filter table, ie FORWARD.
> >
> > Regards,
> > Richard.
> >
> > Richard Oatridge
> > Head of IT, Start-global Ltd
> > http://www.start-global.com
> > tel :  +44 1564 779297
> > email : richardo@start-global.com
> >
> > |--------+----------------------------------->
> > |        |          Askar Ali Khan           |
> > |        |          <askarali@gmail.com>     |
> > |        |          Sent by:                 |
> > |        |          netfilter-admin@lists.net|
> > |        |          filter.org               |
> > |        |                                   |
> > |        |                                   |
> > |        |          29/07/2004 11:19         |
> > |        |                                   |
> > |--------+----------------------------------->
> >   >-------------------------------------------------------------------------------------------------------------------------|
> >   |                                                                                                                         |
> >   |       To:     netfilter <netfilter@lists.netfilter.org>                                                                 |
> >   |       cc:                                                                                                               |
> >   |       Subject:     droping in forward/postrouting                                                                       |
> >   >-------------------------------------------------------------------------------------------------------------------------|
> >
> >
> >
> >
> > hi all
> >
> > Im afraid i am again with a very simple/stupid question :), even
> > though things not clear to me yet.
> >
> > im droping/blocking certain sites mainly gator sites on my
> > router/firewall to LAN users, using slackware kernel 2.4.26.
> >
> > im doing this with the below rule
> > $iptables -t nat -A POSTROUTING -s 0/0 -d  212.4.208.105 -j DROP
> >    This is working fine, however im kinda confuse whether this is the
> > proper table/chain for accomplished this or may I do it with FORWARD
> > chain like ...
> >
> >   $iptables -A FORWARD -s 0/0 -d 212.4.208.105 -p tcp -j DROP
> >
> > which approach is recommended ?
> > 1)nat/POSTROUTING
> > OR
> > 2) FORWARD
> >
> > thanks in advance
> >
> > regards
> > Askar
> >
> >
>

Re: droping in forward/postrouting

[Antony Stone]

On Friday 30 July 2004 7:15 am, Askar Ali Khan wrote:

> hi
> I duno but filter table "FORWARD" not blocking/dropping any of these
> site actaully these are spywares a gift from windowz and why i want to
> drop these dirty shits coz they consume lot of my precious bandwidth
> "dialup" ;)
>
> iptables -I FORWARD -s 0/0 -d 66.35.229.0/24 -j DROP
> iptables -I FORWARD -s 0/0 -d  212.4.208.105 -j DROP
> iptables -I FORWARD -s 0/0 -d 66.35.229.185 -j DROP
> iptables -I FORWARD -s 0/0 -d  64.152.73.0/24 -j DROP
> iptables -I FORWARD -s 0/0 -d  66.35.229.236 -j DROP
>
> However PREROUTING do working and dropping it :)
>
> iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.0/24 -j DROP
> iptables -t nat -I PREROUTING -s 0/0 -d  212.4.208.105 -j DROP
> iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.185 -j DROP
> iptables -t nat -I PREROUTING -s 0/0 -d  64.152.73.0/24 -j DROP
> iptables -t nat -I PREROUTING -s 0/0 -d  66.35.229.236 -j DROP

Do you have both these sets of rules in your ruleset at the same time?

If so, then packets which are DROPped in the PREROUTING chain will never make 
it to the FORWARD chain (because they've been DROPped), therefore the FORWARD 
rules will never see anything to DROP.

Try changing both targets from DROP to LOG, and see if the packets go through 
both chains as expected.

Also, of the five rules you've listed, two are pointless, as the addresses 
66.35.229.185 and 66.35.229.236 both fall within the first /24 range 
specified and will therefore be caught by the first rule.

If, on the other hand, you're saying that putting the rules above into 
PREROUTING does DROP the packets, but removing them from PREROUTING and 
putting them into FORWARD instead does not DROP the packets, then show us the 
rest of your PREROUTING ruleset, as you may be changing the destination 
address before the packets reach FORWARD?

Regards,

Antony.

-- 
I think, therefore I am.
I'm pink, therefore I'm Spam.
I drink, therefore I think I am.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: droping in forward/postrouting

[Askar Ali Khan]

On Sat, 31 Jul 2004 08:48:28 +0100, Antony Stone
<antony@soft-solutions.co.uk> wrote:
> On Friday 30 July 2004 7:15 am, Askar Ali Khan wrote:
> 
> > hi
> > I duno but filter table "FORWARD" not blocking/dropping any of these
> > site actaully these are spywares a gift from windowz and why i want to
> > drop these dirty shits coz they consume lot of my precious bandwidth
> > "dialup" ;)
> >
> > iptables -I FORWARD -s 0/0 -d 66.35.229.0/24 -j DROP
> > iptables -I FORWARD -s 0/0 -d  212.4.208.105 -j DROP
> > iptables -I FORWARD -s 0/0 -d 66.35.229.185 -j DROP
> > iptables -I FORWARD -s 0/0 -d  64.152.73.0/24 -j DROP
> > iptables -I FORWARD -s 0/0 -d  66.35.229.236 -j DROP
> >
> > However PREROUTING do working and dropping it :)
> >
> > iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.0/24 -j DROP
> > iptables -t nat -I PREROUTING -s 0/0 -d  212.4.208.105 -j DROP
> > iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.185 -j DROP
> > iptables -t nat -I PREROUTING -s 0/0 -d  64.152.73.0/24 -j DROP
> > iptables -t nat -I PREROUTING -s 0/0 -d  66.35.229.236 -j DROP
> 
> Do you have both these sets of rules in your ruleset at the same time?
No one at a time I hash (#) the appreporate rules
> 
> If so, then packets which are DROPped in the PREROUTING chain will never make
> it to the FORWARD chain (because they've been DROPped), therefore the FORWARD
> rules will never see anything to DROP.
> 
> Try changing both targets from DROP to LOG, and see if the packets go through
> both chains as expected.
> 
> Also, of the five rules you've listed, two are pointless, as the addresses
> 66.35.229.185 and 66.35.229.236 both fall within the first /24 range
> specified and will therefore be caught by the first rule.
> 
> If, on the other hand, you're saying that putting the rules above into
> PREROUTING does DROP the packets, but removing them from PREROUTING and
> putting them into FORWARD instead does not DROP the packets, then show us the
> rest of your PREROUTING ruleset, as you may be changing the destination
> address before the packets reach FORWARD?
Yeah its Drops the packets in PREROUTING, however not Dropping the
same while tries with FOWARD.
here are my PREROUTING rules (1st one is of POSTROUTING)

> 
> Regards,
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -d 0/0  -j MASQUERADE

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128

######## USING filter table chain FORWARD ########### not working :D
#iptables -I FORWARD -s 0/0 -d 66.35.229.0/24 -j DROP
#iptables -I FORWARD -s 0/0 -d  212.4.208.105 -j DROP
#iptables -I FORWARD -s 0/0 -d 66.35.229.185 -j DROP
#iptables -I FORWARD -s 0/0 -d  64.152.73.0/24 -j DROP
#iptables -I FORWARD -s 0/0 -d  66.35.229.236 -j DROP
#iptables -I FORWARD -s 0/0 -d  64.157.165.181 -j DROP
#iptables -I FORWARD -s 0/0 -d  66.35.229.153 -j DROP
#iptables -I FORWARD -s 0/0 -d 64.157.165.249 -j DROP
#iptables -I FORWARD -s 0/0 -d  66.35.229.175 -j DROP
##########
######### Using PREROUTING ############## working
iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.0/24 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d  212.4.208.105 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.185 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d  64.152.73.0/24 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d  66.35.229.236 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d 64.152.73.174 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d  64.157.165.181 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d  66.35.229.153 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d  64.152.73.207 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d 64.157.165.249 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d 64.152.73.185 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d  66.35.229.175 -j DROP
###############
see I hashed the FORWARD rules coz it was not Droping packets.

> 
> Antony.
regards
Askar
> 
> --
> I think, therefore I am.
> I'm pink, therefore I'm Spam.
> I drink, therefore I think I am.
> 
>                                                     Please reply to the list;
>                                                           please don't CC me.
> 
>

Re: droping in forward/postrouting

[Alejandro Flores]

	Hi there,

> hi
> I duno but filter table "FORWARD" not blocking/dropping any of these
> site actaully these are spywares a gift from windowz and why i want to
> drop these dirty shits coz they consume lot of my precious bandwidth
> "dialup" ;)
> 
> iptables -I FORWARD -s 0/0 -d 66.35.229.0/24 -j DROP
> iptables -I FORWARD -s 0/0 -d  212.4.208.105 -j DROP
> iptables -I FORWARD -s 0/0 -d 66.35.229.185 -j DROP
> iptables -I FORWARD -s 0/0 -d  64.152.73.0/24 -j DROP
> iptables -I FORWARD -s 0/0 -d  66.35.229.236 -j DROP
> 
> However PREROUTING do working and dropping it :)
> 
> iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.0/24 -j DROP
> iptables -t nat -I PREROUTING -s 0/0 -d  212.4.208.105 -j DROP
> iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.185 -j DROP
> iptables -t nat -I PREROUTING -s 0/0 -d  64.152.73.0/24 -j DROP
> iptables -t nat -I PREROUTING -s 0/0 -d  66.35.229.236 -j DROP
> 
> Therefore my confusion still exists, as rule is that to filter in
> fiter table and other things NATting , mangling in nat and mangle
> table respectively.
> 
> Then why FOWARD not blocking these sites and nat PREROUTING does?

	If you're using both (drop in prerouting and forward), the packets are
dropped in nat prerouting. You know why? When the packet starts the
'netfilter journey' it goes to:
	1.  table mangle -> chain PREROUTING
	2.  table nat -> chain PREROUTING (you're dropping packets here)
		(routing decision)
	3b. table mangle -> chain FORWARD
	4b. table filter -> chain FORWARD
	5.  table mangle -> chain POSTROUTING
	6.  table nat -> chains POSTROUTING

	Remove the drop in PREROUTING, and change your FORWARD rules to
something like:

iptables -A FORWARD -i LAN_IF -o EXT_IF -d spywarez_site/mask -j DROP

	You don't have to specify the source if the source is any (-s 0/0).

Regards,
Alejandro Flores

RE: droping in forward/postrouting

[Jason Opperisano]

> Yeah its Drops the packets in PREROUTING, however not Dropping the
> same while tries with FOWARD.
> here are my PREROUTING rules (1st one is of POSTROUTING)

I think someone already asked this, but I can't remember if I ever saw an answer.

How are you testing that netfilter is not dropping the packets with the FORWARD rules enabled?  From the netfilter machine itself?  From a machine behind the netfilter machine?

Remember--packets generated locally by the netfilter machine *never* traverse the FORWARD chain.

I notice that you are transparently redirecting to a squid proxy on the same machine as netfilter.

If your tests of the FORWARD rules are from a machine behind netfilter, but you are trying to hit those blocked IP's with a web browser--the request for those web sites are locally generated by the squid proxy on the netfilter machine (see above).

The answer:  If you're trying to block port 80 access to those IP's, and are using a transparent redirect to a squid proxy on the same machine as netfilter--your DROP rules need to be in the OUTPUT chain; not the FORWARD chain.  Alternatively, you could just use squid to block access to the domain/URL/content-type...but that's a different mailing list...

-j

Re: droping in forward/postrouting

[richardo]

HI Askar,

This seems a little odd, as the rules below should be dropping the packets
destined for the ip's that are listed. Are these rules being run on a
seperate firewall machine to the machines that you are trying to block ? ie
are the packets to be dropped being generated on the machine that is doing
the filtering ?


Regards,
Richard.

Richard Oatridge
Head of IT, Start-global Ltd
http://www.start-global.com
tel :  +44 1564 779297
email : richardo@start-global.com


|--------+----------------------->
|        |          Askar Ali    |
|        |          Khan         |
|        |          <askarali@gma|
|        |          il.com>      |
|        |                       |
|        |          30/07/2004   |
|        |          07:15        |
|        |                       |
|--------+----------------------->
  >-------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                         |
  |       To:     "richardo@start-global.com" <richardo@start-global.com>                                                   |
  |       cc:     netfilter <netfilter@lists.netfilter.org>                                                                 |
  |       Subject:     Re: droping in forward/postrouting                                                                   |
  >-------------------------------------------------------------------------------------------------------------------------|




hi
I duno but filter table "FORWARD" not blocking/dropping any of these
site actaully these are spywares a gift from windowz and why i want to
drop these dirty shits coz they consume lot of my precious bandwidth
"dialup" ;)

iptables -I FORWARD -s 0/0 -d 66.35.229.0/24 -j DROP
iptables -I FORWARD -s 0/0 -d  212.4.208.105 -j DROP
iptables -I FORWARD -s 0/0 -d 66.35.229.185 -j DROP
iptables -I FORWARD -s 0/0 -d  64.152.73.0/24 -j DROP
iptables -I FORWARD -s 0/0 -d  66.35.229.236 -j DROP

However PREROUTING do working and dropping it :)

iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.0/24 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d  212.4.208.105 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.185 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d  64.152.73.0/24 -j DROP
iptables -t nat -I PREROUTING -s 0/0 -d  66.35.229.236 -j DROP

Therefore my confusion still exists, as rule is that to filter in
fiter table and other things NATting , mangling in nat and mangle
table respectively.

Then why FOWARD not blocking these sites and nat PREROUTING does?

Im in learning stages of netfilter thing, and I will greatly
appreciate if someone clear this to me :)

regards
Askar

On Fri, 30 Jul 2004 02:08:46 +0600, Askar Ali Khan <askarali@gmail.com>
wrote:
> Hi Richard
>
> Thanks for the reply :) yeah now its clear to me filtering rules must
> go into filter table and other such NATting or mangling in NAT and
> Mangle table respectively.
>
> Regards
> Askar
>
>
>
> On Thu, 29 Jul 2004 16:54:47 +0100, richardo@start-global.com
> <richardo@start-global.com> wrote:
> >
> > hi Askar,
> >
> > This is a filtering rule, and so, in my opinion, this should be in the
> > filter table, ie FORWARD.
> >
> > Regards,
> > Richard.
> >
> > Richard Oatridge
> > Head of IT, Start-global Ltd
> > http://www.start-global.com
> > tel :  +44 1564 779297
> > email : richardo@start-global.com
> >
> > |--------+----------------------------------->
> > |        |          Askar Ali Khan           |
> > |        |          <askarali@gmail.com>     |
> > |        |          Sent by:                 |
> > |        |          netfilter-admin@lists.net|
> > |        |          filter.org               |
> > |        |                                   |
> > |        |                                   |
> > |        |          29/07/2004 11:19         |
> > |        |                                   |
> > |--------+----------------------------------->
> >   >
-------------------------------------------------------------------------------------------------------------------------|

> >   |
|
> >   |       To:     netfilter <netfilter@lists.netfilter.org>
|
> >   |       cc:
|
> >   |       Subject:     droping in forward/postrouting
|
> >   >
-------------------------------------------------------------------------------------------------------------------------|

> >
> >
> >
> >
> > hi all
> >
> > Im afraid i am again with a very simple/stupid question :), even
> > though things not clear to me yet.
> >
> > im droping/blocking certain sites mainly gator sites on my
> > router/firewall to LAN users, using slackware kernel 2.4.26.
> >
> > im doing this with the below rule
> > $iptables -t nat -A POSTROUTING -s 0/0 -d  212.4.208.105 -j DROP
> >    This is working fine, however im kinda confuse whether this is the
> > proper table/chain for accomplished this or may I do it with FORWARD
> > chain like ...
> >
> >   $iptables -A FORWARD -s 0/0 -d 212.4.208.105 -p tcp -j DROP
> >
> > which approach is recommended ?
> > 1)nat/POSTROUTING
> > OR
> > 2) FORWARD
> >
> > thanks in advance
> >
> > regards
> > Askar
> >
> >
>

droping in forward/postrouting

[Askar Ali Khan]

hi all

Im afraid i am again with a very simple/stupid question :), even
though things not clear to me yet.

im droping/blocking certain sites mainly gator sites on my
router/firewall to LAN users, using slackware kernel 2.4.26.

im doing this with the below rule
$iptables -t nat -A POSTROUTING -s 0/0 -d  212.4.208.105 -j DROP
   This is working fine, however im kinda confuse whether this is the
proper table/chain for accomplished this or may I do it with FORWARD
chain like ...

  $iptables -A FORWARD -s 0/0 -d 212.4.208.105 -p tcp -j DROP

which approach is recommended ?
1)nat/POSTROUTING 
OR
2) FORWARD

thanks in advance

regards
Askar