Blocking direct private IP address
Rob Sterenborg
rob at sterenborg.info
Thu Mar 1 08:30:56 CET 2007
> My focus here is really on how to differentiate traffic that
> gets DNATted from 10.0.0.1 to 192.168.0.99 from traffic that
> was actually directly addressed to 192.168.0.99.
By matching destination-port for example.
If you match packets for 10.0.0.1:80 and forward it using
PREROUTING/DNAT to 192.168.0.99, *all* packets that match this criteria
are DNATed.
Packets sent to other ports are *not* DNATed, also, they are not sent to
the FORWARD chain but to the INPUT chain..
> In both cases, by the time the packet arrives in the filter
> table FORWARD chain, the destination is simply 192.168.0.99,
> there is no trace of the original pre-DNAT IP address, if
> any....at least, that is where I got stuck anyway.
I'm not clear on why you need that information, because...
> I hope that explains it a bit more clearly.
>
> The approach I am playing with at the moment is to add a rule
> in the mangle table PREROUTING chain that marks any packets
> that show up from eth0 that are not addressed to 10.0.0.1.
If you match packets to port 80/tcp, other ports are *not* forwarded.
> Then, in the filter table FORWARD chain, I added rules to
> test for that mark and log and drop any packets that match.
>
> I know I could simply put the logging and drop rules directly
> in the mangle table PREROUTING chain but, based on various
> guidelines for iptables I have read, I am trying to keep all
> filtering activities within the filter table.
I think that if you do something like this:
$ipt -P FORWARD DROP
$ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -m state --state NEW -d 192.168.0.99 \
-p tcp --dport 80 -j ACCEPT
$ipt -t nat -A PREROUTING -i eth0 -d 10.0.0.1 \
-p tcp --dport 80 -j DNAT 192.168.0.99
it'll do what you want it to and you'll have the option to forward other
ports to other destination IP's.
Grts,
Rob
More information about the netfilter
mailing list