Blocking selected clients with iptables

Michael Torrie torriem at
Fri Dec 30 23:55:28 MST 2005

Jason K Larson wrote:

> Try such rules in POSTROUTING of the nat table, or in the OUTPUT or 
> FORWARD chains of the filter table.  Obviously these need to preceed any 
> other rules that would move then to another chain or table as is likely 
> happening with your INPUT chain.
> I'd personally recommend POSTROUTING of the nat table.

FORWARD is actually the more correct chain to add such a rule to.  Any 
packet that must be routed has to pass this chain.  While post-routing 
certainly works, it's cleaner to put in in the forward chain as that's 
really where all firewalling decisions between any subnet can be made. 
For example, in the future you may decide to partition your network and 
firewall certain ports (virus vectors such as netbios) between these 
subnets as well as the outside world.  FORWARD is the place where you 
would place these things.

OUTPUT, in my understanding, only applies to traffic originating from 
the firewall itself, not traffic passing through (traffic which is routed).

> -- 
> Jason K Larson
> /*
> PLUG:, #utah on
> Unsubscribe:
> Don't fear the penguin.
> */

More information about the PLUG mailing list