Hi, Sadus . schrieb: > Maybe a misconception from my part here, please correct me: > > When you want to block an IP from connecting to the internet, should i > use: > iptables -A INPUT -i $INTERNAL -s 192.168.1.2 -j DROP > or > iptables -A FORWARD -i $INTERNAL -s 192.168.1.2 -j DROP or both? > > since the firewall is set to the gateway, then any client will try to > connect to the IP of the gateway to then establish a connection with the > site needed, if i already block that IP to connect to my NIC via the > INPUT chain, then there is no need for me to DROP in FORWARD, or is it > the other way around? It depends on your configuration. If you use a proxy on your gateway / firewall like squid, then the INPUT chain will be hit, because your clients connect to your proxy. BTW, in this configuration you don't need to set ip_forward to 1. If, on the other hand, there is no proxy, then your clients connect directly to the respective site on the internet and thus the forward chain will be hit. Because your clients use RFC 1918 addresses, which will be dropped on the first router on the internet, you need a MASQUERADE / SNAT rule in nat / POSTROUTING in this case. Otherwise nothing will work. And you must set ip_forward to 1. Generally I agree with with all the people saying, that the best approach is to have a DROP policy in INPUT / FORWARD and then only allow the traffic you want. It's simple and clean in my opinion. HTH and have a nice time, Joerg
