On 31.07.2006, at 15:44, Pascal Hambourg wrote:
former03 | Baltasar Cevc a écrit :
Why ? What is the difference with or without NAT ?
You can filter out all incoming packets to local IP addresses on the
wan interface before NAT is done;
No you can't, unless you intend to do filtering in PREROUTING chain of
the 'mangle' table.
I'd probably prefer to do it in the nat table (well, I do know that
filtering should be done in filter only, but it works well that way,
too). Another option would be to separate it using marks.
And for local host access, which was what we were talking about:
-t filter -A INPUT -i eth0 -d <local ip> -j REJECT --reject-with
icmp-network-unreachable
if you just use MASQUERADE for outgoing packets, "iptables -A INPUT
-i eth0.-d 192.168.0.0/16 -j DROP".
I just don't see how it is different whether you have NAT/MASQUERADE
or not. To me filtering and NAT in iptables are fundamentally
independent.
Sure, they are. However, if I nat, I can make the following assumption:
there are no (valid) packet addressed to internal addresses on eth0.
Which is something I can't assume when I don't have NOT. WIthout that
assumption, I cannot prohibit as much as I can when I assume that.
Baltasar
--
Baltasar Cevc
_____ former 03 gmbh
_____ infanteriestraße 19 haus 6 eg
_____ D-80797 muenchen
_____ http://www.former03.de
