jwlargent írta:
...
fw1:~# iptables -t nat -P PREROUTING RETURN
iptables: Bad policy name
So you won !
Maybe someone should fix the manual....
Maybe you should just read the manual, RETURN is not a policy for the
nat table.
Believe me... I read many times... :D
- From the man page:
nat:
This table is consulted when a packet that
creates a new
connection is encountered. It consists of three
built-ins:
PREROUTING (for altering packets as soon as they
come in),
OUTPUT (for altering locally-generated packets
before rout-
ing), and POSTROUTING (for altering packets as
they are
about to go out).
Yeah... That is right.... But wait a minute... I am talking about
DEFAULT POLICY and you are talking about BUILT-IN CHAINS !!!
iptables -t nat -A PREROUTING -j RETURN != iptables -t nat -P PREROUTING
RETURN
The first works, the second not...
I think that it is a bit confusing to use ACCEPT as a policy tartget and
a rule target.
(In nat/mangle/raw ACCEPT means CONTINUE. In filter it means OK, LET IT
THORUGH.)
That is why I tried to use RETURN in the policy.
From the man page:
-P, --policy chain target
Set the policy for the chain to the given target. See the
section TARGETS for the legal targets. Only built-in (non-user-defined)
chains can
have policies, and neither built-in nor user-defined
chains can be policy targets.
TARGETS
A firewall rule specifies criteria for a packet, and a target.
If the packet does not match, the next rule in the chain is the
examined; if it does
match, then the next rule is specified by the value of the
target, which can be the name of a user-defined chain or one of the
special values ACCEPT,
DROP, QUEUE, or RETURN.
ACCEPT means to let the packet through. DROP means to drop the
packet on the floor. QUEUE means to pass the packet to userspace. (How
the packet
can be received by a userspace process differs by the particular
queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the
ip_queue queue han-
dler. Kernels 2.6.14 and later additionally include the
nfnetlink_queue queue handler. Packets with a target of QUEUE will be
sent to queue number
'0' in this case. Please also see the NFQUEUE target as described
later in this man page.) RETURN means stop traversing this chain and
resume at the
next rule in the previous (calling) chain. If the end of a
built-in chain is reached or a rule in a built-in chain with target
RETURN is matched,
the target specified by the chain policy determines the fate of
the packet.
- --
Jeff Largent
System Administrator
Visual Lease Services Inc.
http://www.vlsmaps.com
(405) 379-5280
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGSINWd02kARNrtZkRAsmPAJ4uJRdRreTDnz4Dy1XWYhCyuwFwhQCcCR7N
oAjjEJXXbHXfW3Xi0AvlFl4=
=jVxY
-----END PGP SIGNATURE-----
