Re: Theoretical question: need for filter table in the POSTROUTING chain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 08/25/11 06:40, Gáspár Lajos wrote:
I would like to filter some destination IP-s both on the FORWARD and the
OUTPUT chains... (For example to stop requests to private IP
destinations leave our system.)
I would like to use the REJECT target...
It would be nince if there would be a filter table in the POSTROUTING
chain...

What do you think?

How about putting a reject route in the kernel routing table?

That will very easily prevent the packets from leaving your system.

Further, I think the kernel will (by default) send an ICMP packet indicating that there is no route.

IPTables is great, but sometimes it's better to use a different technology.



Grant. . . .


P.S.  Here's a series of commands that I run on my systems.

route add -net 0.0.0.0 netmask 255.0.0.0 reject
route add -net 10.0.0.0 netmask 255.0.0.0 reject
route add -net 169.254.0.0 netmask 255.255.0.0 reject
route add -net 172.16.0.0 netmask 255.240.0.0 reject
route add -net 192.0.2.0 netmask 255.255.255.0 reject
route add -net 192.168.0.0 netmask 255.255.0.0 reject
route add -net 198.51.100.0 netmask 255.255.255.0 reject
route add -net 203.0.113.0 netmask 255.255.255.0 reject
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Linux Netfilter Development]     [Linux Kernel Networking Development]     [Linux Networking Development]     [Linux Kernel Development]     [Linux Resources]     [LARTC]     [Bugtraq]     [Consulting]     [Free Internet Dating]     [Yosemite Forum]     [Photo]

Add to Google Powered by Linux