How to DROP ip from behind NAT
przemek at skyline.ltd.pl
Wed Nov 16 22:57:32 CET 2005
On Wed, 16 Nov 2005 15:05:57 -0600
Matt Zagrabelny <mzagrabe at d.umn.edu> wrote:
> can YYY.YYY.YYY.YYY be on the same network as M2 (10.1.1.2) ?
> if it is out on the internet, then block it in the FORWARD chain of
> the filter table on M1.
> ps. your notation is a little confusing. perhaps use the following
> ip:port -> ip:port (absence of port denotes any port)
> for example, what i think you meant above would be you want to block
> 10.1.1.2 -> YYY.YYY.YYY.YYY:22
> is that correct?
YYY.YYY.YYY.YYY is a internet adres not at same network.
I had try blocking on FORWARD but I this not work for me :(
> again, i am confused. what i think you want is
> allow 10.1.1.3 -> YYY.YYY.YYY.YYY:80
> block everything else from 10.1.1.3
> again, this would be done in the FORWARD chain of the filter table.
> please verify what you want and if you need help writing the rules
> then we can help.
Correct but YYY.YYY.YYY.YYY is outside of this network...
iptables -A FORWARD -s 10.1.1.3 -j DROP
iptables -A FORWARD -s 10.1.1.3 -d 18.104.22.168 --dport 80 - j
but I can still access anything :(
Przemek < skyline.ltd.pl / przemek@ >
ICQ: 99511187 MSN: tommyindahla -at- hotmail.com
More information about the netfilter