iptables and post-NAT filtering

From: Andrew Gideon <c172driver1@xxxxxxxxxx>
Date: Mon, 28 Jul 2008 23:50:18 +0000 (UTC)

In what table/ruleset can I filter outbound [forwarded] packets after
they've been subjected to any mangling (ie. NAT)? I want to block
anything with an improper source or destination address (ie. 192.168.1.1,
as per RFC1918). But I do SNAT some of these on their way out, and those
I want to permit.

Any rule I've tried sees the source address before SNAT. What rule would
see the source address after SNAT?

I can catch most of these in nat.POSTROUTING; anything I don't SNAT
earlier in the ruleset can be checked. But that means that there's
nothing checking packets after SNAT, and what if I make an error and SNAT
to an improper address?

Any suggestions?

Thanks...

Andrew
.

Prev by Date: Re: 192.168 - why?
Next by Date: Interface "descriptions" and MRTG
Previous by thread: Running NISTNet in bridge mode -- Please Help
Next by thread: Interface "descriptions" and MRTG
Index(es):
- Date
- Thread

Relevant Pages

Re: Right Interface - Wrong IP
... AFAIK conntrack does not care about routing. ... With SNAT, do packets go out with the correct source address? ...
(comp.os.linux.networking)
Re: Right Interface - Wrong IP
... AFAIK conntrack does not care about routing. ... With SNAT, do packets go out with the correct source address? ... The current stable Debian includes the kernel 2.6.18. ...
(comp.os.linux.networking)
Re: Right Interface - Wrong IP
... Source IP is decided when first routing decision. ... AFAIK conntrack does not care about routing. ... With SNAT, do packets go out with the correct source address? ... If your problem is that the replies from the remote server are dropped, you must disable rp_filter on eth1; this has nothing to do with SNAT, it would happen even though packets had the correct source address without SNAT. ...
(comp.os.linux.networking)
Re: iptables port forward question
... Its in a different city. ... So 100.10.0.1 will only accept packets from ... The DNAT to send them on to ... The SNAT so that they are coming from source address ...
(comp.os.linux.networking)
Re: 2.6.19.2, cp 18gb_file 18gb_file.2 = OOM killer, 100% reproducible
... What about all of the changes with NAT? ... Masquerading is a special from of SNAT that changes the ... internet router for a LAN of clients having unroutable IP addresses. ... Masquerading takes care to re-map IP addresses and ports as required. ...
(Linux-Kernel)