You shouldn't need to add a separate rule for the public IPs - the NAT rule will get evaluated first, so in the context of the FORWARD chain (which is where you need to do this processing) the traffic will already have a post-NAT destination (aka private IP) https://upload.wikimedia.org/wikipedia/commons/thumb/3/37/Netfilter-packet-flow.svg/2560px-Netfilter-packet-flow.svg.png This chart might be helpful - if you look in the middle in the green by "Routing Decision", you'll see that the NAT table's prerouting chain gets evaluated just before that point. (so we come in to "Routing Decision" with the DNAT'd internal IP address, not the public IP) Then, since these are forwarded, it continues on to the right of the chart to the mangle (modify) table's FORWARD(ing) chain, and then finally to the filter table (also the default table when unspecified)'s FORWARD chain. That is where your DROP rules are getting inserted, and why they need to be the internal IPs and not the publics. On Fri, Jun 3, 2022 at 5:07 PM Robert Steinmetz,,, <rob@xxxxxxxxxxxxxxxx> wrote: > > > On 6/1/2022 11:50 AM, Alex Buie wrote: > > Try adding DROPs to the FORWARD chain for the internal (post-DNAT) IP address (ie, ) [or even REJECT if you wanna send ICMP back] > > Since these are routed they will not traverse the INPUT and OUTPUT chains, which are only for traffic specifically destined to or generated from the host. Routed traffic will traverse the FORWARD chain. > > Thanks. > > That's what I needed to understand. I've added: > > -A FORWARD -d 192.168.1.2 -p udp -m udp --dport <port> -j DROP > > -A FORWARD -d 192.168.1.3 -p udp -m udp --dport <port> -j DROP > > My understanding is this will drop packets routed from the Public IP address to the Private IP address. One question I have does this block traffic on that port in both directions, or just the incoming traffic to the private address? Should there be a similar statement for the corresponding Public IP address? > > I hope this works. I've updated my rule set. My ISP apparently runs these checks every 3 days or so so now I just need to wait and see if it stops sending them. I don't work with iptables very often, once they're set up I tend to leave them alone for years. > > I'll report back in a few days. > > -- > Robert Steinmetz AIA > Principal > Steinmetz & Associates > > New Orleans & Atlanta -- Alex Buie Senior Networking Software Engineer Datto, Inc. 475-288-4550 (o) 585-653-8779 (c) www.datto.com Join the conversation!
