From: Claus Regelmann <claus.regelmann@inka.de>
To: Daniel Chemko <dchemko@smgtec.com>
Cc: netfilter@lists.netfilter.org, blueflux@koffein.net
Subject: Re: Filter in POSTROUTING
Date: Fri, 12 Sep 2003 00:35:10 +0200 [thread overview]
Message-ID: <3F60F89E.7D439592@inka.de> (raw)
In-Reply-To: 7C9884991ADAE0479C14F10C858BCDF5122E2E@alderaan.smgtec.com
Hello Daniel,
for me this is not a question of style, but a question of functionallity
-- will filtering work correctly in the PRE/POST-ROUTING chain.
Nevertheless thanks for your prompt answer.
Claus
-------------------------------------------------------------
Daniel Chemko wrote:
>
> It is against style to do anything like that in the NAT table. It is
> preferable to do it in the filter table, but if you must be lazy about
> it all, please use the mangle table instead, which does have a valid
> reason to filter certain traffic at times.
>
> The -I is to make sure no matching rules get called before we check that
> we want these packets at all. If you do the ordering yourself, then just
> make sure they are all ordered properly.
>
> iptables -t mangle -I POSTROUTING -o ppp0 -p tcp --dport 137:139 -j DROP
> iptables -t mangle -I POSTROUTING -o ppp0 -p udp --dport 137:139 -j DROP
> iptables -t mangle -I PREROUTING -i ppp0 -p tcp --dport 137:139 -j DROP
> iptables -t mangle -I PREROUTING -i ppp0 -p udp --dport 137:139 -j DROP
>
> -----Original Message-----
> From: Claus Regelmann [mailto:claus.regelmann@inka.de]
> Sent: Thursday, September 11, 2003 2:03 PM
> To: netfilter@lists.netfilter.org; blueflux@koffein.net
> Subject: Filter in POSTROUTING
>
> Hello,
>
> There is a figure Oskar Andreassoons IPTABLES TUTORIAL (V1.1.19, chap.
> 3.1, pg.19)
> where both, the forwarded and the local output, join the postrouting
> chain.
>
> Why shoudnt it be possible to filter all outgoing e.g. smb traffic from
> a local
> network at that place with a command like
> >iptables -t nat -A POSTROUTING -o ppp0 -p tcp --dport 137:139 -j DROP
> >iptables -t nat -A POSTROUTING -o ppp0 -p udp --dport 137:139 -j DROP
> \x1a
> The same question applies to the PREROUTING chain for input
> >iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 137:139 -j DROP
> >iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 137:139 -j DROP
>
> Thanks
> Claus
next prev parent reply other threads:[~2003-09-11 22:35 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-11 21:40 Filter in POSTROUTING Daniel Chemko
2003-09-11 22:35 ` Claus Regelmann [this message]
2003-09-12 8:41 ` Oskar Andreasson
-- strict thread matches above, loose matches on Subject: below --
2003-09-11 21:03 Claus Regelmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F60F89E.7D439592@inka.de \
--to=claus.regelmann@inka.de \
--cc=blueflux@koffein.net \
--cc=dchemko@smgtec.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox