Blocking selected clients with iptables
torriem at chem.byu.edu
Fri Dec 30 23:55:28 MST 2005
Jason K Larson wrote:
> Try such rules in POSTROUTING of the nat table, or in the OUTPUT or
> FORWARD chains of the filter table. Obviously these need to preceed any
> other rules that would move then to another chain or table as is likely
> happening with your INPUT chain.
> I'd personally recommend POSTROUTING of the nat table.
FORWARD is actually the more correct chain to add such a rule to. Any
packet that must be routed has to pass this chain. While post-routing
certainly works, it's cleaner to put in in the forward chain as that's
really where all firewalling decisions between any subnet can be made.
For example, in the future you may decide to partition your network and
firewall certain ports (virus vectors such as netbios) between these
subnets as well as the outside world. FORWARD is the place where you
would place these things.
OUTPUT, in my understanding, only applies to traffic originating from
the firewall itself, not traffic passing through (traffic which is routed).
> Jason K Larson
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
More information about the PLUG