How to DROP ip from behind NAT

Przemek przemek at
Wed Nov 16 22:57:32 CET 2005

On Wed, 16 Nov 2005 15:05:57 -0600
Matt Zagrabelny <mzagrabe at> wrote:
> can YYY.YYY.YYY.YYY be on the same network as M2 ( ?
> if it is out on the internet, then block it in the FORWARD chain of
> the filter table on M1.
> ps. your notation is a little confusing. perhaps use the following
> notation:
> ip:port -> ip:port (absence of port denotes any port)
> for example, what i think you meant above would be you want to block
> is that correct?
YYY.YYY.YYY.YYY is a internet adres not at same network. 
I had try blocking on FORWARD but I this not work for me :(
> again, i am confused. what i think you want is
> allow -> YYY.YYY.YYY.YYY:80
> block everything else from
> again, this would be done in the FORWARD chain of the filter table.
> please verify what you want and if you need help writing the rules
> then we can help.
Correct but YYY.YYY.YYY.YYY is outside of this network... 
I try: 
iptables -A FORWARD -s -j DROP
iptables -A FORWARD -s -d --dport 80 - j
but I can still access anything :(

Przemek < / przemek@ >
ICQ: 99511187 MSN: tommyindahla -at-

More information about the netfilter mailing list