On Thu, February 2, 2006 21:52, Alan Stern wrote: > Apologies if this question has been asked many times before. > > I want to set up SNAT on my firewall, and I want to block incoming > packets that have destination addresses that actually exist on the > LAN. That is, I want to accept incoming packets only if they are > part of an SNAT connection, not if they are addressed directly to > one of the local computers. If you're going to use NAT, I suppose your clients have private IP addresses, otherwise you wouldn't need NAT. In that case, unless you setup specific DNAT rules, internet clients cannot reach your private IP addresses. You seem to want SNAT with statefull packet filtering. > Adding a rule to the FORWARD chain in the filter table won't work, Unless I'm not understanding your problem ; yes it will. > because at that point the destination address has already been > converted to the destination computer's actual address (hence there's > no way to tell which packets should be dropped). Would a rule in the > PREROUTING chain of the mangle table work? If not, what should I do > to detect and drop the packets I don't want? # Drop everything for which we have no rule. $ipt -P FORWARD DROP # Allow ESTABLISHED or RELATED packets in a connection. $ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow outgoing NEW packets coming from your LAN, going to the INET. # The rest (both outgoing and incoming) are ESTABLISHED or RELATED. $ipt -A FORWARD -m state --state NEW -i <if_lan> -o <if_inet> \ -s <net_lan> -j ACCEPT # SNAT outgoing packets from your LAN $ipt -t nat -A POSTROUTING -o <if_inet> -s <net_lan> \ -j SNAT --to <ip_local_inet> Gr, Rob
