From: Jan Humme <jan.humme@xs4all.nl>
To: Antony Stone <Antony@Soft-Solutions.co.uk>, netfilter@lists.samba.org
Subject: Re: Re: unexpected problem with DNAT
Date: Wed, 10 Jul 2002 17:49:42 +0200 [thread overview]
Message-ID: <02071017494208.04513@Lms> (raw)
In-Reply-To: <200207101443.g6AEhf812770@vulcan.rissington.net>
On Wednesday 10 July 2002 16:43, Antony Stone wrote:
> On Wednesday 10 July 2002 3:26 pm, Jan Humme wrote:
> > On Wednesday 10 July 2002 16:03, thingstocome@gmx.net wrote:
> > > > I believe it can only be fixed in the filter module somehow, as all
> > > > packets
> > > > travel through the filter module. You may insert a rule to the
> > > > FORWARD chain,
> > > > to block the FTP-traffic from this IP-address; this should take
> > > > immediate effect.
> > > >
> > > > Jan Humme.
> > >
> > > thx for your reply.
> > >
> > > hmm if i would attempt to block the packets of the ftp session inside
> > > the FORWARD chain,
> > > the destination address would already have changed to an address of
> > > LAN_1 ( because of prerouting).
> > >
> > > I think i can't block these packets in the FORWARD chain by checking
> > > their destination address because as you might remember, SNAT (
> > > masquerading) is also used by LAN_1_ADDR,
> > > so some packets of the masquerading sessions do also have destination
> > > address LAN_1_ADDR when they pass the forward chain ( because NAT is
> > > bidirectional), so they would be blocked as well.
>
> The mangle table might be your answer.
>
> Two suggestions:
>
> 1. Create a rule in the PREROUTING mangle table (which is processed before
> the nat table, so you can see the original source addesses) and MARK the
> packets which you want to block, and then out a rule in the FORWARD chain
> to DROP the MARKed packets.
>
> That's the 'proper' way to do it - mangle the packets in the mangle table
> and drop them in the filter table, however the quicker, dirtier but more
> efficient way to do it is:
>
> 2. Create a rule in the PREROUTING mangle table (which is processed before
> the nat table, so you can see the original source addresses) and DROP the
> packets you want to stop.
I don't get it: the source original addresses are only SNATted *after* the
FORWARD chain has already been filtered, there is no need to (ab)use the
mangle chain for this purpose? Or am I misunderstanding something?
So he can directly create one rule in FORWARD chain to drop the packets; but
his problem seems to be that he doesn't know which IP-addresses he wants to
block.
Jan Humme.
next prev parent reply other threads:[~2002-07-10 15:49 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-07-10 12:18 unexpected problem with DNAT thingstocome
2002-07-10 12:50 ` Jan Humme
2002-07-10 14:03 ` thingstocome
2002-07-10 14:26 ` Jan Humme
2002-07-10 14:43 ` Antony Stone
2002-07-10 15:49 ` Jan Humme [this message]
2002-07-10 15:55 ` Antony Stone
2002-07-10 16:53 ` Jan Humme
2002-07-10 17:42 ` Antony Stone
2002-07-10 18:15 ` Jan Humme
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=02071017494208.04513@Lms \
--to=jan.humme@xs4all.nl \
--cc=Antony@Soft-Solutions.co.uk \
--cc=netfilter@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox