Question on PREROUTING and INPUT chains

[Antony Stone]

On Monday 04 November 2002 8:46 pm, Carlos FaĿanha wrote:

> I have a Linux box used as NAT server and firewall. All
> requests on its port 80 are forwarded to a local webserver
> inside my network. I want to block access to all services
> including http from a specific external host.
>
> I'm using the following rule to block the host
>
> iptables -A INPUT -i $extint -s $hostip -j DROP
>
> and this one to do the NAT
>
> iptables -t nat -A PREROUTING -p tcp --dport 80 -d $extip -j
> DNAT --to $webserverip:80
>
> The problem is that the host is blocked from accessing all
> services but http. I've already checked if there are any
> rules before that ACCEPT the request. It seems that prerouted
> packets are bypassing the INPUT chain.
>
> Is it correct? If not, what am I doing wrong?

It is correct that routed packets bypass the INPUT chain.   Only packets 
destined for the firewall machien go through INPUT - packets which are going 
somewhere else go through FORWARD.

Therefore put your blocking rule in the FORWARD chain instead and it should 
do what you want.

Antony.

-- 

If the human brain were so simple that we could understand it,
we'd be so simple that we couldn't.