Just mean gateway/firewall server that all the traffic passes through. No doesn't work ... The port is blocked when I try these rules (copy of the INPUT rules) : iptables -A FORWARD -i eth1 -p tcp -m tcp --dport 443 -m state --state NEW -m recent --set iptables -A FORWARD -i eth1 -p tcp -m tcp --dport 443 -m state --state NEW -m recent --update --seconds 600 --hitcount 1 -j DROP iptables -A FORWARD -i eth1 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.2:443 If I try that, the port is always open and hitcount doesn't work : iptables -A FORWARD -i eth1 -p tcp -m tcp --dport 443 -m state --state NEW -m recent --set iptables -A FORWARD -i eth1 -p tcp -m tcp --dport 443 -m state --state NEW -m recent --update --seconds 600 --hitcount 1 -j ACCEPT iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.2:443 Thank you for the picture ! It's very interesting :) And sorry but I have never user mailing list. I don't known how it's work exactly :( I put in copy this time :) Thank you for your help ! On 10/22/11, Andrew Beverley <andy@xxxxxxxxxxx> wrote: > On Sat, 2011-10-22 at 16:14 +0200, Azerty Ytreza wrote: >> "What exactly are you trying to achieve? If you're changing to a FORWARD >> rule then I assume that you are trying to adapt your rules in order to >> block connections destined for a remote server, rather than the local >> host?" >> >> I want to limit the number of connections which passtrough the host. > > Okay, in which case you do want FORWARD. > >> Yes, I can block that on the remote server but I prefer on the local >> if it's possible. > > Do you really mean "local" (in which case you want OUTPUT) or do you > just mean on your gateway/firewall server that all the traffic passes > through? > >> >> "Do you really mean UDP?" >> >> No, it's an error sorry. I have copy/paste other rules and adapt rules >> but forget to change udp to tcp. > > Okay, so it's working now? > >> "You've got a mixture of INPUT and FORWARD. Is that what you want? >> Remember that packets will never transverse both the INPUT and FORWARD >> chains." >> >> The port 443 is blocked by default it's for that which I open and >> after redirect. If I made only a FORWARD it's open directly the port >> without INPUT rules ? > > It depends where you're blocking it. What's the default FORWARD rule? > ACCEPT? > > The bottom line is that you need all your rules in FORWARD *or* INPUT. A > picture paints a thousand words: > > http://jengelh.medozas.de/images/nf-packet-flow.png > > Or for a simpler (out of date) version: > > http://www.docum.org/docum.org/kptd/ > >> >> >> Thank you for your response ! > > No problem, but please put your responses in-line to the original email > rather than copying and pasting to the top! Oh, and copy the list as > well. > > Andy > > > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
