post and prerouting help

Brad Chapman kakadu@earthlink.net
Fri, 20 Jul 2001 07:47:50 -0400 

Mr. Parkhi, Mr. Martinez,

   You can use the mangle table for fully blocking connections, since
the mangle table doesn't have any of the NAT stuff in it and will thus drop
EVERYTHING, whether it was NAT'ted or not. The only problem is that you
could only do this for the PREROUTING chain to drop ALL incoming 
connections.
To also drop ALL outgoing connections, you would need my mangle5hooks patch
which adds the POSTROUTING chain (and others) to the mangle table, so that
you can fully control incoming/outgoing connections before routing.

Brad

Yogini Parkhi wrote:

> Hi
> AFAIK POSTROUTING is the last chain traversed when forwarding is turned on
> before your packets leave the box. But the nat table is consulted only for
> packets that will start new connections
> See iptables man pages:
> "nat This table is consulted when a packet that creates a new connection is
> encountered.  It consists of  three  built-
>               ins:  PREROUTING  (for  altering  packets  as  soon as they
> come in), OUTPUT (for altering
>               locally-generated packets before routing), and POSTROUTING
> (for altering packets  as  they
>               are  about  to  go out). "
> 
> So your olders connections work and newer do not when you set policy of
> POSTROUTING to DROP. Makes perfect sense.
> Hope this helps
> -Yogini
> 
> 
> 
> 
> 
> -----Original Message-----
> From: netfilter-admin@lists.samba.org <mailto:netfilter-admin@lists.samba.org>
> [mailto:netfilter-admin@lists.samba.org]On Behalf Of Phil Martinez
> Sent: Thursday, July 19, 2001 8:20 AM
> To: netfilter@lists.samba.org <mailto:netfilter@lists.samba.org>
> Subject: post and prerouting help
> 
> Hi,
> 
> First a description of my box..  Mandrake 8.0 stock kernel, 2 physical
> interfaces, ipforwarding turned on.
> 
> I was under the impression that the POSTROUTING and PREROUTING chains
> were special chains used only for special natting purposes.  I set these
> 2 policies to DROP by default and suddenly EVERYTHING stops.
> 
> I am on a normal routable network...199.242.x.x and am not doing any
> type of routing.  iptables -L shows that i ACCEPT  everything on the
> input, output and forward chains.  This of course won't be my finished
> default policy, but i was going crazy yesterday when i couldn't even ssh
> to my localhost.
> 
> Anyway, as soon as i change for instance the POSTROUTING policy to DROP
> i can't make new connections out.  Say for instance i have a ssh session
> open, that keeps working, but if i had another console up, that was
> pinging some host on the network, it stops and starts erroring with the
> message "ping: send: operation not permitted"
> 
> Now, if i have the PREROUTING set to DROP eveything is great going out,
> but connections coming in, no dice.  So my question is, what role do
> these two chains REALLY play in the packet flow?  Does every packet go
> through them for directions on which route to take?
> --
> Sincerely,
> Phil Martinez
> J. River, Inc.
> 
> 
> 
>