Re: Theoretical question: need for filter table in the POSTROUTING chain
|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
On 08/25/11 06:40, Gáspár Lajos wrote:
I would like to filter some destination IP-s both on the FORWARD and the OUTPUT chains... (For example to stop requests to private IP destinations leave our system.) I would like to use the REJECT target... It would be nince if there would be a filter table in the POSTROUTING chain... What do you think?
How about putting a reject route in the kernel routing table? That will very easily prevent the packets from leaving your system.Further, I think the kernel will (by default) send an ICMP packet indicating that there is no route.
IPTables is great, but sometimes it's better to use a different technology. Grant. . . . P.S. Here's a series of commands that I run on my systems. route add -net 0.0.0.0 netmask 255.0.0.0 reject route add -net 10.0.0.0 netmask 255.0.0.0 reject route add -net 169.254.0.0 netmask 255.255.0.0 reject route add -net 172.16.0.0 netmask 255.240.0.0 reject route add -net 192.0.2.0 netmask 255.255.255.0 reject route add -net 192.168.0.0 netmask 255.255.0.0 reject route add -net 198.51.100.0 netmask 255.255.255.0 reject route add -net 203.0.113.0 netmask 255.255.255.0 reject -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html