Re: Blocking ip addresses..

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The Problem is, when I use the conntrack modul, and I block a IP with
this command : 

iptables -t nat -I POSTROUTING -p tcp  -s 192.168.0.23 --dport 25 -m
conntrack --ctstate ESTABLISHED,NEW,RELATED -j DROP,

then I can't create new Connections, but I can use further on the established
connections.


This problem has to do with the fact that the nat table is only traversed when establishing NEW connections from what I have been told.  I think this would be better done in the filter:FORWARD or the filter:OUTPUT table as such:

iptables -t filter -I FORWARD -s 192.168.0.23 -p tcp --dport 25 -j DROP
iptables -t filter -I OUTPUT -s 192.168.0.23 -p tcp --dport 25 -j DROP



Grant. . . .

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux