Hi there, > hi > I duno but filter table "FORWARD" not blocking/dropping any of these > site actaully these are spywares a gift from windowz and why i want to > drop these dirty shits coz they consume lot of my precious bandwidth > "dialup" ;) > > iptables -I FORWARD -s 0/0 -d 66.35.229.0/24 -j DROP > iptables -I FORWARD -s 0/0 -d 212.4.208.105 -j DROP > iptables -I FORWARD -s 0/0 -d 66.35.229.185 -j DROP > iptables -I FORWARD -s 0/0 -d 64.152.73.0/24 -j DROP > iptables -I FORWARD -s 0/0 -d 66.35.229.236 -j DROP > > However PREROUTING do working and dropping it :) > > iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.0/24 -j DROP > iptables -t nat -I PREROUTING -s 0/0 -d 212.4.208.105 -j DROP > iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.185 -j DROP > iptables -t nat -I PREROUTING -s 0/0 -d 64.152.73.0/24 -j DROP > iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.236 -j DROP > > Therefore my confusion still exists, as rule is that to filter in > fiter table and other things NATting , mangling in nat and mangle > table respectively. > > Then why FOWARD not blocking these sites and nat PREROUTING does? If you're using both (drop in prerouting and forward), the packets are dropped in nat prerouting. You know why? When the packet starts the 'netfilter journey' it goes to: 1. table mangle -> chain PREROUTING 2. table nat -> chain PREROUTING (you're dropping packets here) (routing decision) 3b. table mangle -> chain FORWARD 4b. table filter -> chain FORWARD 5. table mangle -> chain POSTROUTING 6. table nat -> chains POSTROUTING Remove the drop in PREROUTING, and change your FORWARD rules to something like: iptables -A FORWARD -i LAN_IF -o EXT_IF -d spywarez_site/mask -j DROP You don't have to specify the source if the source is any (-s 0/0). Regards, Alejandro Flores
