How to DROP ip from behind NAT

Przemek przemek at skyline.ltd.pl
Wed Nov 16 22:57:32 CET 2005


On Wed, 16 Nov 2005 15:05:57 -0600
Matt Zagrabelny <mzagrabe at d.umn.edu> wrote:
> can YYY.YYY.YYY.YYY be on the same network as M2 (10.1.1.2) ?
> if it is out on the internet, then block it in the FORWARD chain of
> the filter table on M1.
> 
> ps. your notation is a little confusing. perhaps use the following
> notation:
> 
> ip:port -> ip:port (absence of port denotes any port)
> 
> for example, what i think you meant above would be you want to block
> 10.1.1.2 -> YYY.YYY.YYY.YYY:22
> 
> is that correct?
YYY.YYY.YYY.YYY is a internet adres not at same network. 
I had try blocking on FORWARD but I this not work for me :(
 
> again, i am confused. what i think you want is
> allow 10.1.1.3 -> YYY.YYY.YYY.YYY:80
> block everything else from 10.1.1.3
> 
> again, this would be done in the FORWARD chain of the filter table.
> 
> please verify what you want and if you need help writing the rules
> then we can help.
Correct but YYY.YYY.YYY.YYY is outside of this network... 
I try: 
iptables -A FORWARD -s 10.1.1.3 -j DROP
iptables -A FORWARD -s 10.1.1.3 -d 217.217.217.100 --dport 80 - j
ACCEPT
but I can still access anything :(

---
Przemek < skyline.ltd.pl / przemek@ >
ICQ: 99511187 MSN: tommyindahla -at- hotmail.com



More information about the netfilter mailing list