How to do nat filtering in 1.4.3.2

How to do nat filtering in 1.4.3.2

[Jorge Bastos]

Hi people,

Before in 1.4.2 and older, I used to do some filtering in the nat table,
and I saw a warning about that feature going to be disabled, and saw that
in 1.4.3.2 already is.

In 1.4.2:
--
The "nat" table is not intended for filtering, hence the use of DROP is
deprecated and will permanently be disabled in the next iptables release.
Please adjust your scripts.
--

In 1.4.3.2:
--
iptables -t nat -A PREROUTING -p tcp --dport 1863 -j ACCEPT # msn iptables
-t nat -A PREROUTING -p tcp --dport 5900 -j ACCEPT # vnc iptables -t nat
-I PREROUTING -d 193.164.158.105 -j DROP iptables -t nat -A PREROUTING -j
DROP iptables v1.4.3.2:
The "nat" table is not intended for filtering, the use of DROP is
therefore inhibited.
--

I use this, to allow the users that are using my linux machine, action as
a router, to connect to the outside world only to the ports I want, and
block some stuff.
How to do this now on?

Thanks,
Jorge,

Re: How to do nat filtering in 1.4.3.2

[Leonardo Rodrigues]

[-- Attachment #1: Type: text/plain, Size: 936 bytes --]

Jorge Bastos escreveu:
>
> I use this, to allow the users that are using my linux machine, action as
> a router, to connect to the outside world only to the ports I want, and
> block some stuff.
> How to do this now on?
>
>   

    now you'll have to do it on the place you should have done that:

iptables -t filter -A FORWARD ......

or simply

iptables -A FORWARD

if not specified, -t filter is used.


    your rules are strange .... usually default action for NAT tables 
are ACCEPT. Of course that can be changed, but that would require that 
you really understand what you're doing. Your default policy is probably 
ACCEPT and, in that case, ACCEPT rules arent necessary at all.


-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it





[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 5584 bytes --]

Re: How to do nat filtering in 1.4.3.2

[Jorge Bastos]

(sending the second time 'cause message got bloqued 1st)
Hum well,
I'm doing the ACCEPT to the ports I want to be reachable to the out world,
and in the end add a DROP so that the rest of the ports get unreachable,
well it was working.
In fact I didn't spent many time when I've built this rules, and they have
about 5 years, I'm just checking this 'cause of this new situation.

Going to try the FORWARD and report success or not.

Thanks,
Jorge,

PS:Already tested and works perfectly. I guess this should be the place i
should used the rules to do nat filtering from the beginning, correct?


> Jorge Bastos escreveu:
>>
>> I use this, to allow the users that are using my linux machine, action
>> as
>> a router, to connect to the outside world only to the ports I want, and
>> block some stuff.
>> How to do this now on?
>>
>>
>
>     now you'll have to do it on the place you should have done that:
>
> iptables -t filter -A FORWARD ......
>
> or simply
>
> iptables -A FORWARD
>
> if not specified, -t filter is used.
>
>
>     your rules are strange .... usually default action for NAT tables
> are ACCEPT. Of course that can be changed, but that would require that
> you really understand what you're doing. Your default policy is probably
> ACCEPT and, in that case, ACCEPT rules arent necessary at all.
>
>
> --
>
>
> 	Atenciosamente / Sincerily,
> 	Leonardo Rodrigues
> 	Solutti Tecnologia
> 	http://www.solutti.com.br
>
> 	Minha armadilha de SPAM, NÃO mandem email
> 	gertrudes@solutti.com.br
> 	My SPAMTRAP, do not email it
>
>
>
>
>

Re: How to do nat filtering in 1.4.3.2

[Leonardo Rodrigues]

Jorge Bastos escreveu:
> PS:Already tested and works perfectly. I guess this should be the place i
> should used the rules to do nat filtering from the beginning, correct?
>
>   

    absolutely !!! -t filter is the place to filter. -t nat is the place 
to do NAT-related stuff, and not filtering.

    if you wanna filter packets coming TO your firewall machine, then 
your rules should be in INPUT chain

    if you wanna filter packets going out FROM your firewall machine, 
then your rules should be in OUTPUT chain

    if you wanna filter packets passing your firewall (ie, getting 
routed), then your rules should be in FORWARD chain. Remember that 
packets go and come, so depending the case, 2 rules are necessary to 
fully accept a forwarded packet



-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it

Re: How to do nat filtering in 1.4.3.2

[Jorge Bastos]

>     absolutely !!! -t filter is the place to filter. -t nat is the place
> to do NAT-related stuff, and not filtering.
>
>     if you wanna filter packets coming TO your firewall machine, then
> your rules should be in INPUT chain
>
>     if you wanna filter packets going out FROM your firewall machine,
> then your rules should be in OUTPUT chain
>
>     if you wanna filter packets passing your firewall (ie, getting
> routed), then your rules should be in FORWARD chain. Remember that
> packets go and come, so depending the case, 2 rules are necessary to
> fully accept a forwarded packet

For packets going to the machine, i already am using the INPUT chain.
My confusion was the filtering on the nat table, but now i'm clear thanks
to you :)