--- Cedric Blancher <blancher@xxxxxxxxxxxxxxxxxx> wrote: > Le ven 21/03/2003 à 15:53, SBlaze a écrit : > > # iptables -A INPUT -p udp -i eth0 -m state --state NEW,INVALID -j DROP > > # iptables -A INPUT -p udp -i eth0 -m state --state ESTABLISHED,RELATED -j > > ACCEPT > > > > # CounterStrike NAT Line > > # > > iptables -t nat -A PREROUTING -p udp --dport 27015 -i eth0 -j DNAT > > --to-destination 192.168.1.25:27015 > > > > Ok the UDP filters physically come before my CounterStrike line. In reading > > Oskar's tutorial I as under the impression that the nat tables rules took > > precedence before the filter tables.... > > They have. Moreover, there's no filter chain at NF_IP_PRE_ROUTING hook. > > > However the UDP rules drop the incoming CS requests before they are > > prerouted... What gives? > > Once your packet has been handled by NAT stuff, it has to be authorized > by filter stuff. In your ruleset, two things are quite strange to me. > > First, your filtering rules are in INPUT chain. As far as I understand > your point, you are trying to nat CS stuff to an internal host. So > packets will get routed, and so have to be filtered in FORWARD chain. > > Second, you drop packets with state NEW. If you do so, no one will be > able to connect. > > > -- > Cédric Blancher <blancher@xxxxxxxxxxxxxxxxxx> > IT systems and networks security expert - Cartel Sécurité > Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 > PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE > That is somewhat correct. What I read in Oskar's tutorial led me to believe that i could preroute the CS requests so that they would in a sence bypass or not pass through the UDP input filters. I am somewhat confused as to why they do? ===== "No touchy NO TOUCHY! Emperor Kuzko -=Emperor's New Groove=-" __________________________________________________ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com
