On Monday 04 November 2002 8:46 pm, Carlos FaĿanha wrote: > I have a Linux box used as NAT server and firewall. All > requests on its port 80 are forwarded to a local webserver > inside my network. I want to block access to all services > including http from a specific external host. > > I'm using the following rule to block the host > > iptables -A INPUT -i $extint -s $hostip -j DROP > > and this one to do the NAT > > iptables -t nat -A PREROUTING -p tcp --dport 80 -d $extip -j > DNAT --to $webserverip:80 > > The problem is that the host is blocked from accessing all > services but http. I've already checked if there are any > rules before that ACCEPT the request. It seems that prerouted > packets are bypassing the INPUT chain. > > Is it correct? If not, what am I doing wrong? It is correct that routed packets bypass the INPUT chain. Only packets destined for the firewall machien go through INPUT - packets which are going somewhere else go through FORWARD. Therefore put your blocking rule in the FORWARD chain instead and it should do what you want. Antony. -- If the human brain were so simple that we could understand it, we'd be so simple that we couldn't.
