On Wed, Mar 13, 2002 at 10:19:52PM +0100, Olaf Zaplinski wrote: > Why is a connect from 192.168.42.0/24 to 11.22.33.44:80 first proxied so > that the blocking rule has no effect? I only can guess that all packets > first traverse the nat table and then the filter table's FORWARD chain.
Actually, it's because PREROUTING is before FORWARD. By the time the
packet reaches the FORWARD chain, the destination has already been
changed.
> $IPTABLES -t nat -A PREROUTING -p tcp -d 11.22.33.44 -j REJECT --reject-with
> tcp-reset
>
> but it did not work ("invalid argument")
Correct. The nat table doesn't have a REJECT target, and the filter table
doesn't hook into PREROUTING.
> All I want to get is a kind of banner blocker. For this, I must tell the
> client with a 'REJECT --reject-with tcp-reset' that the banner server
> rejects connects to port 80.
It would be much more reliable to have the proxy filter the requests and
send a 404 or somesuch, as it can block based on domain instead of only
address or netblock.
There doesn't seem to be an easy way to do exactly what you're trying to
do. Any filtering is done after the REDIRECT, and the original destination
address isn't available to match against.
--
Scottie Shore <[EMAIL PROTECTED]>
"Experience is that marvelous thing that enables you to recognize
a mistake when you make it again." -- F. P. Jones
msg00892/pgp00000.pgp
Description: PGP signature
