Blocking direct private IP address
rob at sterenborg.info
Thu Mar 1 08:30:56 CET 2007
> My focus here is really on how to differentiate traffic that
> gets DNATted from 10.0.0.1 to 192.168.0.99 from traffic that
> was actually directly addressed to 192.168.0.99.
By matching destination-port for example.
If you match packets for 10.0.0.1:80 and forward it using
PREROUTING/DNAT to 192.168.0.99, *all* packets that match this criteria
Packets sent to other ports are *not* DNATed, also, they are not sent to
the FORWARD chain but to the INPUT chain..
> In both cases, by the time the packet arrives in the filter
> table FORWARD chain, the destination is simply 192.168.0.99,
> there is no trace of the original pre-DNAT IP address, if
> any....at least, that is where I got stuck anyway.
I'm not clear on why you need that information, because...
> I hope that explains it a bit more clearly.
> The approach I am playing with at the moment is to add a rule
> in the mangle table PREROUTING chain that marks any packets
> that show up from eth0 that are not addressed to 10.0.0.1.
If you match packets to port 80/tcp, other ports are *not* forwarded.
> Then, in the filter table FORWARD chain, I added rules to
> test for that mark and log and drop any packets that match.
> I know I could simply put the logging and drop rules directly
> in the mangle table PREROUTING chain but, based on various
> guidelines for iptables I have read, I am trying to keep all
> filtering activities within the filter table.
I think that if you do something like this:
$ipt -P FORWARD DROP
$ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -m state --state NEW -d 192.168.0.99 \
-p tcp --dport 80 -j ACCEPT
$ipt -t nat -A PREROUTING -i eth0 -d 10.0.0.1 \
-p tcp --dport 80 -j DNAT 192.168.0.99
it'll do what you want it to and you'll have the option to forward other
ports to other destination IP's.
More information about the netfilter