Re: Removing DROP from nat table

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thursday 2011-11-10 01:41, gregry . wrote:

>"Hold on, that's your problem right there, you should use filter
>instead," someone will say.  Maybe, but I'll describe why I didn't.
>[...]
>iptables -t nat -A natclnt_10_0_0_1 -p tcp --dport 8001 -j nat_fwd_srvc
>iptables -t nat -A natclnt_10_0_0_1 -j LOG --log-prefix NatClnt_1=
>iptables -t nat -A natclnt_10_0_0_1 -j DROP
>[...]
>iptables -t nat -A PREROUTING -p tcp -m state --state NEW -s 10.0.0.0/24 -d 10.0.0.1 -j nat_clnt_new
>
>These chains above would be called when new TCP connections come in
>from VPN clients trying to reach 10.0.0.1.  The filter table only
>needs a single "blind" ACCEPT for all new TCP connections from
>10.0.0.0/8.

NB: NAT only ever gets NEWs, so it's pointless to check for it again
using matches.

>However, if this setup gets rebuilt using the filter table in the 'intended' way, the rules would have to be like:iptables -t filter -A fwdclnt_10_0_0_1 -p tcp -d  192.168.10.23 --dport 80 -j ACCEPT
>iptables -t filter -A fwdclnt_10_0_0_1 -j LOG --log-prefix FwdClnt_1=
>iptables -t filter -A fwdclnt_10_0_0_1 -j DROP
>
>iptables -t filter -A fwdclnt_10_0_0_2 -p tcp -d  192.168.10.23 --dport 80 -j ACCEPT
>iptables -t filter -A fwdclnt_10_0_0_2 -p tcp -d 192.168.190.5 --dport 80 -j ACCEPT
>iptables -t filter -A fwdclnt_10_0_0_2 -p tcp -d 192.168.190.5 --dport 443 -j ACCEPTiptables  -t filter -A fwdclnt_10_0_0_2 -j LOG --log-prefix FwdClnt_2=
>iptables -t filter -A fwdclnt_10_0_0_2 -j DROP
>...etc
>
>Notice that in this setup, if a service gets moved to another host
>or port, potentially hundreds of filter rules also have to be
>changed to reflect that.  Much more laborious and error prone.

Indeed one wonders why you would do such a convoluted thing in filter 
when you can simply do:

-A FORWARD -s 10.0.0.0/8 -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -s 10.0.0.0/8 -j DROP
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux