On Wednesday 10 July 2002 19:42, Antony Stone wrote: > On Wednesday 10 July 2002 5:53 pm, Jan Humme wrote: > > On Wednesday 10 July 2002 17:55, Antony Stone wrote: > > > If the original poster doesn't know what addresses s/he wishes to > > > block, then I can't think of a netfilter rule which will help :-) > > > > Harty-har-har.........! > > > > But I still don't understand the reason why you would mark (or even DROP) > > packages at the mangle stage, if the same source IP is still available at > > the filter stage? > > Simple - I got confused by the Subject of the mail thread, and I thought > the problem was with DNAT, not SNAT. > > Of course you are correct that SNAT is done at the *end* of all the > filtering, therefore any blocking can be done at the FORWARDing stage. > > I thought the problem was to block a connection based on its original > destination address, which had been lost by being DNATted in the PREROUTING > chain, and therefore it was no longer possible to filter on destination > address in the FORWARDing chain. > > Hope this explains at least part of my confusion, and therefore some of > yours about my postings ?
It certainly does. Just thought that perhaps there was some clever trick that I missed, as I am only starting to get the hang of things. In any case, we still don't know what the original poster is trying to achieve...! Jan Humme.
