nat and block ip address

eddy cheung eddy_cheung@ami-group.com
Fri, 14 Dec 2001 16:36:43 +0800 

Dear Patrick,

First of all, thanks for your reply.

If I block the INPUT/OUPUT of the banned ip address on the gateway, the
packets should be drop when it go through the gateway and no connection will
be created.  Is it true?

Anyway, I also try your suggestion, use the FORWARD rule but it's still
doesn't work.  The following is the full details of my firewall conf file,
could you please take a look and tell me what's wrong with the file?

iptables -F
iptables -t nat -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

echo "1" > /proc/sys/net/ipv4/ip_forward 
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED
-j ACCEPT 
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT 
iptables -A FORWARD -j LOG 
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE 

iptables -A INPUT -i $EXTIF -s $BANNED_IP -j DROP
iptables -A INPUT -i $EXTIF -d $BANNED_IP -j DROP
iptables -A OUTPUT -o $EXTIF -s $BANNED_IP -j DROP
iptables -A OUTPUT -o $EXTIF -d $BANNED_IP -j DROP

iptables -A FORWARD -i $EXTIF -s $BANNED_IP -j DROP
iptables -A FORWARD -o $EXTIF -d $BANNED_IP -j DROP

Thanks again and Best Regards,

Eddy

-----Original Message-----
From: Patrick Schaaf [mailto:bof@bof.de]
Sent: Friday, December 14, 2001 4:26 PM
To: eddy cheung
Cc: netfilter@lists.samba.org
Subject: Re: nat and block ip address


Eddy,

> I setup the ip masquarding as follows:
> 
> echo "1" > /proc/sys/net/ipv4/ip_forward 
> iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED
> -j ACCEPT 
...
> 
> It's work fine, my internal network can go through the gateway to the
> internet.

> But when I want to block some web site by making the rule:
> 
> iptables -A INPUT -i $EXTIF -s $BANNED_IP -j DROP
> iptables -A INPUT -i $EXTIF -d $BANNED_IP -j DROP
> iptables -A OUTPUT -o $EXTIF -s $BANNED_IP -j DROP
> iptables -A OUTPUT -o $EXTIF -d $BANNED_IP -j DROP
> 
> It suppose the banned_ip web site cannot be connected but the result is it
> still can be connected by using internet explorer.

I am assuming that you add these non-working rules also to the gateway?

Then, why use INPUT and OUTPUT? Those two are only for connections
made by processes on the gateway machine itself. All traffic forwarded
back and forth, is policed by the FORWARD chain.

So, instead of your INPUT/OUTPUT rules, this should do:

	iptables -A FORWARD -i $EXTIF -s $BANNED_IP -j DROP
	iptables -A FORWARD -o $EXTIF -d $BANNED_IP -j DROP

regards
  Patrick