On Wed, 2003-06-04 at 21:53, Cedric Blancher wrote: > An example... Suppose you implement DNAT. This sits in PREROUTING chain. > > iptables -t nat -A PREROUTING -d $PUB_IP -j DNAT --to $PRIV_IP > > How can I filter packets destined to $PUB_IP form those which were > destined to $PRIV_IP as they appear the same way into FORWARD chain ? > Use mark. > > iptables -t mangle -A PREROUTING -d $PRIV_IP -j MARK --mark 0x01 > > Then, in filter table, I do this : > > iptables -A FORWARD -m mark --mark 0x01 -j DROP > > As I don't people access directly my private IP. Doing this, you get in > FORWARD chain information that would not be available otherwise. There are other ways. iptables -A FORWARD -d $PRIV_IP -m conntrack ! --ctorigdst $PUB_IP -j DROP -- /Martin
