Re: [plug] ipchains (masq)

Raymund dos Remedios Sun, 20 Oct 2002 22:37:20 -0700

I seems, since you are using masquerading, this machine with the iptables
enabled is functioning as a gateway for other machines.


In which case, you have to understand that there is a substantial difference
in the way iptables and ipchains work.  Check out the manpage for iptables.

    filter This is the default table.   It  contains  the  built-in  chains
           INPUT  (for  packets  coming  into the box itself), FORWARD (for
           packets being routed through the box), and OUTPUT (for  locally
           generated packets).

In ipchains, however, each and every packet will traverse input, forward and 
output.  Thus, your rules as they are, will not block anything that is
traversing the machine in iptables, but, in ipchains, with the proper syntax 
changes will block everything from -s x.x.x.x.

To make your DROP statement work in iptables (if the above assumption
was your intent), change the rule (or add a rule) as follows:

$IPTABLES -v -A FORWARD -i eth0 -s x.x.x.x/x -j DROP

This will automatically prevent packets from traversing your machine from
the -s x.x.x.x/x sub-net.  For filtering ports, just add the appropriate
--sport or --dport statements.

Hope this helps.

On Saturday 19 October 2002 16:38, Ina Patricia Lopez wrote:
> i cant seem to make it work.
>
> while i enjoy full internet access through iptables with masq, i want
> to block some destination ip addresses and ports. how do i do that with
> iptables?
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> $IPTABLES -v -A INPUT -i eth0 -s x.x.x.x -j DROP
> $IPTABLES -v -A INPUT -i eth0 -j LOG --log-level 6
> $IPTABLES -v -A INPUT -i lo -j ACCEPT
> $IPTABLES -v -A INPUT -i eth0 -j ACCEPT
> $IPTABLES -v -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> thanks,
> i.patricia
>
> __________________________________________________
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site
> http://webhosting.yahoo.com/
> _
> Philippine Linux Users Group. Web site and archives at
> http://plug.linux.org.ph To leave: send "unsubscribe" in the body to
> [EMAIL PROTECTED]
>
> Fully Searchable Archives With Friendly Web Interface at
> http://marc.free.net.ph
>
> To subscribe to the Linux Newbies' List: send "subscribe" in the body to
> [EMAIL PROTECTED]
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]

Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph

To subscribe to the Linux Newbies' List: send "subscribe" in the body to 
[EMAIL PROTECTED]

Re: [plug] ipchains (masq)

Reply via email to