* OUTPUT: nat after filter (2nd nat). Please help :(
@ 2013-05-14 4:35 krzf83@gmail.com
2013-05-14 5:30 ` Vigneswaran R
0 siblings, 1 reply; 3+ messages in thread
From: krzf83@gmail.com @ 2013-05-14 4:35 UTC (permalink / raw)
To: netfilter
According to graph at wikipedia
(http://imageshack.us/scaled/thumb/29/iptablesb.png) in OUTPUT nat
table is processed before AND after filter (2 times). I want to
utilize this second time:
iptables -t filter -A OUTPUT -d 1.2.3.4 -j DROP
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner abc -j DNAT --to
127.0.0.1:121
Does not work because nat is executed befure filter.
iptables -t filter -A OUTPUT -d 1.2.3.4 -J DROP
iptables -t filter -A OUTPUT -m owner --uid-owner abc -j CONNMARK
--set-mark 0x1234
iptables -t nat -A OUTPUT -p tcp -m connmark --mark 0x1234 -j DNAT
--to 127.0.0.1:121
I think that should work. It does not. What am I missing? Please help :(
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: OUTPUT: nat after filter (2nd nat). Please help :(
2013-05-14 4:35 OUTPUT: nat after filter (2nd nat). Please help :( krzf83@gmail.com
@ 2013-05-14 5:30 ` Vigneswaran R
[not found] ` <CAJ1PRSnzBFnjd5hQbzVs0u2CSBH5ZfwmtUN05+DhvjrDmxWbqA@mail.gmail.com>
0 siblings, 1 reply; 3+ messages in thread
From: Vigneswaran R @ 2013-05-14 5:30 UTC (permalink / raw)
To: krzf83@gmail.com; +Cc: netfilter
On 05/14/2013 10:05 AM, krzf83@gmail.com wrote:
> According to graph at wikipedia
> (http://imageshack.us/scaled/thumb/29/iptablesb.png) in OUTPUT nat
> table is processed before AND after filter (2 times). I want to
> utilize this second time:
>
> iptables -t filter -A OUTPUT -d 1.2.3.4 -j DROP
> iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner abc -j DNAT --to
> 127.0.0.1:121
>
> Does not work because nat is executed befure filter.
>
> iptables -t filter -A OUTPUT -d 1.2.3.4 -J DROP
> iptables -t filter -A OUTPUT -m owner --uid-owner abc -j CONNMARK
> --set-mark 0x1234
> iptables -t nat -A OUTPUT -p tcp -m connmark --mark 0x1234 -j DNAT
> --to 127.0.0.1:121
>
> I think that should work. It does not. What am I missing? Please help :(
It seems, the two nat tables you are talking about are from different
chains (OUTPUT, POSTROUTING). The order of packet flow between these
tables will be like the following,
OUTPUT nat --> OUTPUT filter --> POSTROUTING nat
So, if you want to filter the packets before nat you can do the following,
iptables -t filter -A OUTPUT -d 1.2.3.4 -J DROP
iptables -t nat -A POSTROUTING -p tcp -m owner --uid-owner abc -j DNAT --to
127.0.0.1:121
I found the following simplified iptables diagram useful for beginners.
<http://pritambaral.com/wp-content/uploads/2012/05/iptables.png>
Regards,
Vignesh
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-05-14 6:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-05-14 4:35 OUTPUT: nat after filter (2nd nat). Please help :( krzf83@gmail.com
2013-05-14 5:30 ` Vigneswaran R
[not found] ` <CAJ1PRSnzBFnjd5hQbzVs0u2CSBH5ZfwmtUN05+DhvjrDmxWbqA@mail.gmail.com>
2013-05-14 6:07 ` Vigneswaran R
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
