Hi OK, I understand it now - "FORWARD and INPUT are filter tables" - bells start ringing! Thanks Antony, you make good sense. Cheers Stuart -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Antony Stone Sent: Tuesday, April 06, 2004 8:17 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Prerouting question On Tuesday 06 April 2004 7:00 pm, Stuart Lamble wrote: > Hi All > > If prerouting is the first rule a packet touches when arriving at the > firewall, why then do we not set the default to DROP here and allow > through what we need. <Pedantic response> Because PREROUTING is a nat table, and nat tables are for Network Address Translation. FORWARD and INPUT are filter tables (the default if you don't specify in iptables rules), and that's where filtering operations such as DROP, REJECT, ACCEPT should be done. </Pedant> <Pragmatic response> Because all sorts of things will go wrong if you try this. </Pragmatist> <Conntrack response> Because all traffic passing through the interface has to go through the PREROUTING table, and this is where lots of connection tracking magic happens in the background, meaning that you (read: the rules in the PREROUTING table) don't see many of the packets going past, yet they still obey the default chain policy. Therefore you can't catch all the packets you need to allow (they get handled behind the scenes), and you don't want to DROP any of the ones you can't see. </Conntrack> Regards, Antony. -- I'm pink, therefore I'm Spam. Please reply to the list; please don't CC me. --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.650 / Virus Database: 416 - Release Date: 4/4/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.650 / Virus Database: 416 - Release Date: 4/4/2004
