hi all,
i using this rule to block this host
iptables -A INPUT -s 202.96.170.189 -j DROP
iptables -A OUTPUT -d 202.96.170.189 -j DROP
iptables -A FORWARD -s 202.96.170.189 -j DROP
after that i using iptraf on my web server (behind DNAT) , it show up
202.96.170.189:80 still can get in
what i doing wrong and missing? why i cant block him?
when i check my iptables -vnL it show up
Chain INPUT (policy DROP 8818 packets, 1264K bytes)
pkts bytes target prot opt in out source
destination
2931 228K ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
1824 88944 DROP all -- * * 202.96.170.189
0.0.0.0/0
Chain FORWARD (policy DROP 6 packets, 240 bytes)
pkts bytes target prot opt in out source
destination
10974 484K DROP all -- * * 202.96.170.189
0.0.0.0/0
Chain OUTPUT (policy DROP 773 packets, 58748 bytes)
pkts bytes target prot opt in out source
destination
2933 228K ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
202.96.170.189
My nat script
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \
-j SNAT --to-source $IPADDR
iptables -A FORWARD -o $EXTERNAL_INTERFACE \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $INTERNAL_INTERFACE \
-m state --state ESTABLISHED,RELATED -j ACCEPT
My Dnat script
iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp \
--sport $UNPRIVPORTS -d $HTTP_1 --dport 80 \
-m state --state NEW,ESTABLISHED,RELATED -j DNAT --to
10.0.0.2:80
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p
tcp \
--sport $UNPRIVPORTS -d 10.0.0.2 --dport 80 \
-m state --state NEW -j ACCEPT
iptables version 1.2.4 on RH 7.1
Thank you very much
