From mboxrd@z Thu Jan 1 00:00:00 1970 From: Luca Ferrari Subject: Re: problem with iptables - wrong rules? Date: Wed, 14 Jul 2004 10:13:42 +0200 Sender: linux-admin-owner@vger.kernel.org Message-ID: <200407141013.43424.fluca1978@virgilio.it> References: <200407131850.55496.fluca1978@virgilio.it> <40F4E278.7040108@tid.es> Reply-To: fluca1978@virgilio.it Mime-Version: 1.0 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-Reply-To: <40F4E278.7040108@tid.es> Content-Disposition: inline List-Id: Content-Type: text/plain; charset="iso-8859-1" To: linux-admin@vger.kernel.org On Wednesday 14 July 2004 09:36 Miguel Gonz=E1lez Casta=F1os's cat walk= ing on the=20 keyboard wrote: > Hi, > > I am not sure what is your network architecture but i assume this: > > You have a LAN connected (lets call it LAN1) to the Internet through > the linux firewall (192.168.1.7). This firewall acts also as a router > being connected to the 192.168.1.8 router which is connected to > different LANs. > > With the DROP rule you are blocking packets destined to 192.168.1.8 = and > come from anywhere (in this case Internet and LAN1). > > I assume when you say have NATTED the connection, you have NATTED > connections from LAN1 to the Internet and maybe connections from the > other LANs, am I wrong ? (maybe you should give us a picture or more > details of what you have in your NAT rules). If so, then LAN1 and the > other LANs are routed and not natted among them. > > Then, you should block destination to network 192.168.2.0, 192.168.4= =2E0, > etc... >.html I believe you're right, since I've natted only packets from/to the inte= rnet=20 and not another lan. Anyway, is there a way using iptables to intercept= s=20 packets that are going to the 192.168.1.8 router? I'd like to log those= =20 packets, but I believe that iptables acts before the kernel routing tab= le,=20 thus it is not easy to intercept those packets. Any idea? Thanks, Luca --=20 Luca Ferrari, fluca1978@virgilio.it - To unsubscribe from this list: send the line "unsubscribe linux-admin" = in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html