Hi, In short, only the first packet of any stream (ie, unique tuple (dst, dst-port, src, src-port)) will cross the PREROUTING chain of the NAT table. After this, all packets in that stream will have the exact same actions taken on them, even if they do not really match with the rule. The reason that I have written to people not to use this or any other chains in the NAT table for filtering is fairly simple. It is too easy to make a simple mistake while writing these rules. For example, look at the following rules:
iptables -t nat -A PREROUTING -p tcp --dport 52 --syn -j DROP iptables -t nat -A PREROUTING -p tcp --dport 52 -j ACCEPT Consider what will happen, and you can understand what I mean. This is most probably not the behaviour we would expect to get from it=). This is pretty much why I have written that section as I have. Comments on this is most definitely welcome. Have a nice day, Oskar Andreasson http://www.boingworld.com http://people.unix-fu.org/andreasson/ mailto: [EMAIL PROTECTED] ----- Original Message ----- From: "j davis" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, April 15, 2002 8:37 PM Subject: prerouting question > > Hi, > > According to a how to i read > >(http://www.boingworld.com/workshops/linux/iptables-tutorial/iptables-tutorial.html#TRAVERSING_OF_TABLES) > I should not filter in PREROUTING. Does this mean my default policie should > be accept and write no rules in prerouting > excpept to do dnat. Or should i set my policie to drop > and write rules to allow traffic...and if i do this say... > > /sbin/iptables -t nat -A PREROUTING -s 0/0 -d $inet_ip -p tcp \ > --dport 22 -j ACCEPT > (could i jump traffic from the nat table to a user defined chain > in the filter table?) > > will this skip my filter rules input and if not...why should i not write > filter rules in prerouting. It seems to me alot of rules and chains could be > avoided by writing filter rules in > prerouting. > > Thanks, > jd > > _________________________________________________________________ > Chat with friends online, try MSN Messenger: http://messenger.msn.com > > >
