Re: Question about nfmark

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2003-06-04 at 21:53, Cedric Blancher wrote:

> An example... Suppose you implement DNAT. This sits in PREROUTING chain.
> 
> 	iptables -t nat -A PREROUTING -d $PUB_IP -j DNAT --to $PRIV_IP
> 
> How can I filter packets destined to $PUB_IP form those which were
> destined to $PRIV_IP as they appear the same way into FORWARD chain ?
> Use mark.
> 
> 	iptables -t mangle -A PREROUTING -d $PRIV_IP -j MARK --mark 0x01
> 
> Then, in filter table, I do this :
> 
> 	iptables -A FORWARD -m mark --mark 0x01 -j DROP
> 
> As I don't people access directly my private IP. Doing this, you get in
> FORWARD chain information that would not be available otherwise.

There are other ways.

iptables -A FORWARD -d $PRIV_IP -m conntrack ! --ctorigdst $PUB_IP -j DROP

-- 
/Martin


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux