travelling the tables and chains...
gtaylor at riverviewtech.net
Mon Apr 4 05:30:08 CEST 2005
If I understand you correctly, you are wanting traffic that is not DNATed to pass through your FORWARD_WAN_TO_LAN chain? If that is the case you should try something like this:
iptables -A FORWARD -i $WAN -o $LAN -m state --state INVALID,NEW,UNTRACKED -j FORWARD_WAN_TO_LAN
iptables -A FORWARD -i $WAN -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
This should cause all traffic (if I understand correctly) that is not recognized by DNAT... (as I type this I'm thinking SNAT, but DNAT *may* behave the same way too) ...to be send to the FORWARD_WAN_TO_LAN and any traffic that is recognized by DNAT to be plainly ACCEPTED.
Does any one else have any comments on this?
Grant. . . .
Guido Lorenzutti wrote:
> Hi people, i would like to clean up my firewall script by creating new
> chains in the filter table. Like this:
> iptables -N FORWARD_WAN_TO_LAN
> Then, call the traffic in the FORWARD chain:
> iptables -A FORWARD -i $WAN -o $LAN -j FORWARD_WAN_TO_LAN
> Now how can i discriminate the DNATed packets from that rule? It's OK if
> i MARK them in the PREROUTING chain and create a rule BEFORE in the
> FORWARD chain to check if the packet im MARKed then -j DNATED_WAN_TO_LAN?
> Any better ideas?
More information about the netfilter