On Sun, 2011-02-13 at 00:08 +0000, Bhasker C V wrote: > Thanks Steven for the reply. > > On Sun, 13 Feb 2011, Steven wrote: > > > Hi > > [...] > > > > What I do is use the PREROUTING table to set up the general forwarding, > > and use the FORWARDING and INPUT tables to actually allow or block > > traffic. A rule for PREROUTING could be this: > > iptables -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP -m multiport > > --destination-port 20,21,22,80 -j DNAT --to-destination $WEBSERVER > > So if I am blocking an IP from entering, I have to do it both in the input > chain and also in the FORWARDING chain so that wherever it gets hit, it > will be dropped. Thanks I will do the same
It is not always necessary to block on 2 levels, as the chains are complementary and the first matching rule is used. For instance when using DNAT in the PREROUTING, the packet will still flow through the FORWARDING chain (or the INPUT, depending on the destination in the DNAT rule) In case you only want to specify the DNAT when the packet it coming from a specific machine, and direct other traffic the firewall/gateway machine (INPUT chain), you do need to specify the DNAT rule more specifically with a -s parameter (source), but a DROP or ACCEPT rule shouldn't be placed in the PREROUTING chain IMHO. > > > > In this case forwarding ftp, ssh and http ports. > > The forwarding and input tables should be used to block unwanted traffic > > (or allow wanted traffic). > > > > iptables -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT > > allows everything from outside to be forwarded to the internal lan in > > this case. > > > > An advice is to limit the rules to the smallest possible match, not > > allowing anything to slip by that was unintended. > Yes I usually allow the needed IPs and block all others in a plain DROP > rule. Thanks again. It is possible to set defaults for chains, personally I don't use a plain DROP rule at the end of the chain, but set the default to DROP (first line in my configuration scripts), any packet that doesn't match an earlier rule will hit that default. iptables -P INPUT DROP And the same for OUTPUT and FORWARD chains, but I don't think it is generally wrong to do it your way. However it might be easier is complex setups when defining your own chains and using the RETURN target (at this point I'm just speculating). > > [...] > Kind regards, Steven -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1297602157.6805.16.ca...@pc-steven.lan
