Question on PREROUTING and INPUT chains
Sat, 9 Nov 2002 13:07:17 +0000
On Monday 04 November 2002 8:46 pm, Carlos FaĿanha wrote:
> I have a Linux box used as NAT server and firewall. All
> requests on its port 80 are forwarded to a local webserver
> inside my network. I want to block access to all services
> including http from a specific external host.
> I'm using the following rule to block the host
> iptables -A INPUT -i $extint -s $hostip -j DROP
> and this one to do the NAT
> iptables -t nat -A PREROUTING -p tcp --dport 80 -d $extip -j
> DNAT --to $webserverip:80
> The problem is that the host is blocked from accessing all
> services but http. I've already checked if there are any
> rules before that ACCEPT the request. It seems that prerouted
> packets are bypassing the INPUT chain.
> Is it correct? If not, what am I doing wrong?
It is correct that routed packets bypass the INPUT chain. Only packets
destined for the firewall machien go through INPUT - packets which are going
somewhere else go through FORWARD.
Therefore put your blocking rule in the FORWARD chain instead and it should
do what you want.
If the human brain were so simple that we could understand it,
we'd be so simple that we couldn't.