Le ven 21/03/2003 à 15:53, SBlaze a écrit : > # iptables -A INPUT -p udp -i eth0 -m state --state NEW,INVALID -j DROP > # iptables -A INPUT -p udp -i eth0 -m state --state ESTABLISHED,RELATED -j > ACCEPT > > # CounterStrike NAT Line > # > iptables -t nat -A PREROUTING -p udp --dport 27015 -i eth0 -j DNAT > --to-destination 192.168.1.25:27015 > > Ok the UDP filters physically come before my CounterStrike line. In reading > Oskar's tutorial I as under the impression that the nat tables rules took > precedence before the filter tables.... They have. Moreover, there's no filter chain at NF_IP_PRE_ROUTING hook. > However the UDP rules drop the incoming CS requests before they are > prerouted... What gives? Once your packet has been handled by NAT stuff, it has to be authorized by filter stuff. In your ruleset, two things are quite strange to me. First, your filtering rules are in INPUT chain. As far as I understand your point, you are trying to nat CS stuff to an internal host. So packets will get routed, and so have to be filtered in FORWARD chain. Second, you drop packets with state NEW. If you do so, no one will be able to connect. -- Cédric Blancher <blancher@xxxxxxxxxxxxxxxxxx> IT systems and networks security expert - Cartel Sécurité Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
