Re: Default deny rule

To:	"Gáspár Lajos" <swifty@freemail.hu>
Subject:	Re: Default deny rule
From:	Gopinath <gopinath.u@gmail.com>
Date:	Thu, 31 May 2007 10:41:23 +0530
Cc:	netfilter@lists.netfilter.org
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	netfilter-list1@securepoint.com
Dkim-signature:	a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=DDSkVJPU1nm/KXJgm7ST3zrQD4Xgfjanmn+vAa5vSme3GLoXOKJDwFfnja9q488ZtwuNKylzT69vRFii+fqtxlwFVl35+mcTszG71xkwk4PpSDC4dSmrHR5Bo4mCA6qxB+hFCDfcJaXv2EGf3r+vei9d/0ei55drPNWGj6tm0nc=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=UwMYh0Sydm1YKv/ZMhiTQnT4yiotki/jWy5i5UUDG27RocqyDq2ChBUz8Rfk3zDDucyXMOpwQdjp0d+XgTcy0bcLaLjZaiSa4G+MI+4+enLMMsuhmIAXd4IqmqItBV3DDISz/1gDXApCtsmjzd+hoPlpzJmaD6wOZwSXOTk+SAc=
In-reply-to:	<465D5103.3000507@freemail.hu>
List-archive:	</pipermail/netfilter>
List-help:	<mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id:	General discussion and user questions <netfilter.lists.netfilter.org>
List-post:	<mailto:netfilter@lists.netfilter.org>
List-subscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
References:	<d2af4f000705092228x3746eb10u9b81264581a57e46@mail.gmail.com> <464440C4.7000605@freemail.hu> <d2af4f000705132302t3d8b2c8eo6158406d02af9f91@mail.gmail.com> <4648570D.4040308@freemail.hu> <d2af4f000705150134r4d5bbf84r96d0f91aae9a725d@mail.gmail.com> <4651C2EE.2080803@freemail.hu> <d2af4f000705280645j74a57571j65bb21ab0bfcee40@mail.gmail.com> <465C24E0.8010001@freemail.hu> <d2af4f000705290744i4518ae7bu11b1fb7e2eb14a68@mail.gmail.com> <465D5103.3000507@freemail.hu>
Sender:	netfilter-bounces@lists.netfilter.org

Hi Lajos,

That's a good explanation. I got the point :-)

Thanks & Regards,
Gopinath.U

On 5/30/07, Gáspár Lajos <swifty@freemail.hu> wrote:

Gopinath írta:
> Thank your very much Lajos !!!!!!!!!!!!!!!
>
> It is working fine now after adding the line "-m conntrack --ctstate
> DNAT" in the ACCEPT statement of the FORWARD chain as you've said in
> previous mail.
>
> Could you please explain how it works after adding the line "-m
> conntrack --ctstate DNAT" in the ACCEPT stmt of FORWARD chain ? I'm
> very eager to know this :-)
>
Okay... :D

I have attached an image that shows the route of the packet.

In the PREROUTING nat table the destination address gets DNATed IF the
client wants to talk to the EXTERNAL address.
But if the INTERNAL address is used at a new connection then this rule
does not get hit !!! (No DNAT!!!)

In the FORWARD filter table you were accepting EVERY connection that has
an INTERNAL destination address.
If you use the conntrack module then ONLY the DNATed packets gets
accepted!!!

> Regards,
> Gopinath.U
>
>
> I have also upgraded my iptables to version 1.3.7
Good to hear... :D

Swifty

<Prev in Thread]	Current Thread	[Next in Thread>
Default deny rule, Gopinath Re: Default deny rule, Gáspár Lajos Re: Default deny rule, Gopinath Re: Default deny rule, Gáspár Lajos Message not available Re: Default deny rule, Gáspár Lajos Re: Default deny rule, Gopinath Re: Default deny rule, Gáspár Lajos Re: Default deny rule, Gopinath Message not available Re: Default deny rule, Gopinath <=

Previous by Date:	RE: NAT rules for VPN only allowing one user?, Neil Aggarwal
Next by Date:	Confirm your subscription, bilal . amna
Previous by Thread:	Re: Default deny rule, Gopinath
Next by Thread:	delete NAT conntrack entry., ???
Indexes:	[Date] [Thread] [Top] [All Lists]