Hi all,
I'm curious as to the amount of things that can be performed within the
PREROUTING chain. Though this is in the nat table, which (if any) of the
following arguments to the iptables command would be invalid. My external
interface is eth0.
1) iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 -j DROP # invalid ip's
2) iptables -t nat -A PREROUTING -i eth0 -p tcp --syn \ # SYN matching
-d $MY_IP --dport 23 -j DROP
3) iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -m state --state NEW \ #
state
-d 204.75.165.10 --dport 80 -j ACCEPT
I guess my basic question is whether or not I can perform most of the packet
matching rules that we would normally use in the filter table within the nat
table.
And lastly, at what points within the nat chain would these checks be made. My
assumption is that the checks would take place after conntrack, mangle, and
dnat. If I'm in error on this, I would appreciate someone to help clarify.
Thanks a million!
Harv
____________________________________________________________________
Harv Frost En.gen (a Division of J. River, Inc.)
mailto:frost@engen.com 2727 W. Baseline Rd #13
http://www.engen.com Tempe, AZ 85283
ftp://ftp.engen.com Tel: 602-438-1110
I'm curious as to the amount of things that can be performed within the
PREROUTING chain. Though this is in the nat table, which (if any) of the
following arguments to the iptables command would be invalid. My external
interface is eth0.
1) iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 -j DROP # invalid ip's
2) iptables -t nat -A PREROUTING -i eth0 -p tcp --syn \ # SYN matching
-d $MY_IP --dport 23 -j DROP
3) iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -m state --state NEW \ #
state
-d 204.75.165.10 --dport 80 -j ACCEPT
I guess my basic question is whether or not I can perform most of the packet
matching rules that we would normally use in the filter table within the nat
table.
And lastly, at what points within the nat chain would these checks be made. My
assumption is that the checks would take place after conntrack, mangle, and
dnat. If I'm in error on this, I would appreciate someone to help clarify.
Thanks a million!
Harv
____________________________________________________________________
Harv Frost En.gen (a Division of J. River, Inc.)
mailto:frost@engen.com 2727 W. Baseline Rd #13
http://www.engen.com Tempe, AZ 85283
ftp://ftp.engen.com Tel: 602-438-1110