RE: Filter in POSTROUTING

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

It is against style to do anything like that in the NAT table. It is
preferable to do it in the filter table, but if you must be lazy about
it all, please use the mangle table instead, which does have a valid
reason to filter certain traffic at times.

The -I is to make sure no matching rules get called before we check that
we want these packets at all. If you do the ordering yourself, then just
make sure they are all ordered properly.

iptables -t mangle -I POSTROUTING -o ppp0 -p tcp --dport 137:139 -j DROP
iptables -t mangle -I POSTROUTING -o ppp0 -p udp --dport 137:139 -j DROP
iptables -t mangle -I PREROUTING -i ppp0 -p tcp --dport 137:139 -j DROP
iptables -t mangle -I PREROUTING -i ppp0 -p udp --dport 137:139 -j DROP

-----Original Message-----
From: Claus Regelmann [mailto:claus.regelmann@xxxxxxx] 
Sent: Thursday, September 11, 2003 2:03 PM
To: netfilter@xxxxxxxxxxxxxxxxxxx; blueflux@xxxxxxxxxxx
Subject: Filter in POSTROUTING

Hello,

There is a figure Oskar Andreassoons IPTABLES TUTORIAL (V1.1.19, chap.
3.1, pg.19)
where both, the forwarded and the local output, join the postrouting
chain.

Why shoudnt it be possible to filter all outgoing e.g. smb traffic from
a local
network at that place with a command like
>iptables -t nat -A POSTROUTING -o ppp0 -p tcp --dport 137:139 -j DROP
>iptables -t nat -A POSTROUTING -o ppp0 -p udp --dport 137:139 -j DROP

The same question applies to the PREROUTING chain for input
>iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 137:139 -j DROP
>iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 137:139 -j DROP

Thanks
Claus
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux