On Tuesday 06 April 2004 7:00 pm, Stuart Lamble wrote:
> Hi All
>
> If prerouting is the first rule a packet touches when arriving at the
> firewall, why then do we not set the default to DROP here and allow
> through what we need.
<Pedantic response>
Because PREROUTING is a nat table, and nat tables are for Network Address
Translation. FORWARD and INPUT are filter tables (the default if you don't
specify in iptables rules), and that's where filtering operations such as
DROP, REJECT, ACCEPT should be done.
</Pedant>
<Pragmatic response>
Because all sorts of things will go wrong if you try this.
</Pragmatist>
<Conntrack response>
Because all traffic passing through the interface has to go through the
PREROUTING table, and this is where lots of connection tracking magic happens
in the background, meaning that you (read: the rules in the PREROUTING table)
don't see many of the packets going past, yet they still obey the default
chain policy. Therefore you can't catch all the packets you need to allow
(they get handled behind the scenes), and you don't want to DROP any of the
ones you can't see.
</Conntrack>
Regards,
Antony.
--
I'm pink, therefore I'm Spam.
Please reply to the list;
please don't CC me.
