- Subject: Re: Theoretical question: need for filter table in the POSTROUTING chain
- From: Grant Taylor <gtaylor@xxxxxxxxxxxxxxxxx>
- Date: Thu, 25 Aug 2011 09:51:42 -0500
- In-reply-to: <4E5634C3.80908@freemail.hu>
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110609 Lightning/1.0b3pre Thunderbird/3.1.10
On 08/25/11 06:40, Gáspár Lajos wrote:
I would like to filter some destination IP-s both on the FORWARD and the
OUTPUT chains... (For example to stop requests to private IP
destinations leave our system.)
I would like to use the REJECT target...
It would be nince if there would be a filter table in the POSTROUTING
chain...
What do you think?
How about putting a reject route in the kernel routing table?
That will very easily prevent the packets from leaving your system.
Further, I think the kernel will (by default) send an ICMP packet
indicating that there is no route.
IPTables is great, but sometimes it's better to use a different technology.
Grant. . . .
P.S. Here's a series of commands that I run on my systems.
route add -net 0.0.0.0 netmask 255.0.0.0 reject
route add -net 10.0.0.0 netmask 255.0.0.0 reject
route add -net 169.254.0.0 netmask 255.255.0.0 reject
route add -net 172.16.0.0 netmask 255.240.0.0 reject
route add -net 192.0.2.0 netmask 255.255.255.0 reject
route add -net 192.168.0.0 netmask 255.255.0.0 reject
route add -net 198.51.100.0 netmask 255.255.255.0 reject
route add -net 203.0.113.0 netmask 255.255.255.0 reject
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development]
[Linux Kernel Networking Development]
[Linux Networking Development]
[Linux Kernel Development]
[Linux Resources]
[LARTC]
[Bugtraq]
[Consulting]
[Free Internet Dating]
[Yosemite Forum]
[Photo]
