Re: droping in forward/postrouting

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Friday 30 July 2004 7:15 am, Askar Ali Khan wrote:

> hi
> I duno but filter table "FORWARD" not blocking/dropping any of these
> site actaully these are spywares a gift from windowz and why i want to
> drop these dirty shits coz they consume lot of my precious bandwidth
> "dialup" ;)
>
> iptables -I FORWARD -s 0/0 -d 66.35.229.0/24 -j DROP
> iptables -I FORWARD -s 0/0 -d  212.4.208.105 -j DROP
> iptables -I FORWARD -s 0/0 -d 66.35.229.185 -j DROP
> iptables -I FORWARD -s 0/0 -d  64.152.73.0/24 -j DROP
> iptables -I FORWARD -s 0/0 -d  66.35.229.236 -j DROP
>
> However PREROUTING do working and dropping it :)
>
> iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.0/24 -j DROP
> iptables -t nat -I PREROUTING -s 0/0 -d  212.4.208.105 -j DROP
> iptables -t nat -I PREROUTING -s 0/0 -d 66.35.229.185 -j DROP
> iptables -t nat -I PREROUTING -s 0/0 -d  64.152.73.0/24 -j DROP
> iptables -t nat -I PREROUTING -s 0/0 -d  66.35.229.236 -j DROP

Do you have both these sets of rules in your ruleset at the same time?

If so, then packets which are DROPped in the PREROUTING chain will never make 
it to the FORWARD chain (because they've been DROPped), therefore the FORWARD 
rules will never see anything to DROP.

Try changing both targets from DROP to LOG, and see if the packets go through 
both chains as expected.

Also, of the five rules you've listed, two are pointless, as the addresses 
66.35.229.185 and 66.35.229.236 both fall within the first /24 range 
specified and will therefore be caught by the first rule.

If, on the other hand, you're saying that putting the rules above into 
PREROUTING does DROP the packets, but removing them from PREROUTING and 
putting them into FORWARD instead does not DROP the packets, then show us the 
rest of your PREROUTING ruleset, as you may be changing the destination 
address before the packets reach FORWARD?

Regards,

Antony.

-- 
I think, therefore I am.
I'm pink, therefore I'm Spam.
I drink, therefore I think I am.

                                                     Please reply to the list;
                                                           please don't CC me.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux