Weedy wrote:
So apparently this has become illegal, and neither google or me
playing around has figured out how to update it. Input is most welcome.
+ iptables -t nat -A prerouting_rule -i br-lan -p tcp --dport 80 -j
REDIRECT --to-port 3128
+ iptables -t nat -A prerouting_rule -p tcp --dport 2020 -m state
--state NEW -m recent --name ATTACKER_SSH --rsource --update --seconds
120 --hitcount 5 -j DROP
iptables v1.4.3.2:
The "nat" table is not intended for filtering, the use of DROP is
therefore inhibited.
Try `iptables -h' or 'iptables --help' for more information.
This is a openwrt router running the old firewall (not supported or I
would have asked on their mailing list) I will attach it encase anyone
wants to give it a quick peek and finds anything terribly
wrong/outdated (but it does currently work fine).
Thank you for your time.
Hello,
since iptables 1.4.3.2 DROP is prohibited in the nat table.
It actually was never intended to be used for 'filtering'. Filtering
should be done in the 'filter' table (hence the name).
The nat table only 'sees' state NEW connections, hence the --state NEW
is obsolete.
Change your rules, to DROP / ACCEPT in the filter table.
greets
Mart
P.S. didn't take a look at the attached ruleset...
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html