[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: RE: droping in forward/postrouting
From: "Jason Opperisano" <Jopperisano () alphanumeric ! com>
Date: 2004-07-31 23:58:38
Message-ID: D5C9032B2B09C64EA2409D6214E91AC9051216 () asimail2 ! alphanumeric ! com
[Download RAW message or body]
> Yeah its Drops the packets in PREROUTING, however not Dropping the
> same while tries with FOWARD.
> here are my PREROUTING rules (1st one is of POSTROUTING)
I think someone already asked this, but I can't remember if I ever saw an answer.
How are you testing that netfilter is not dropping the packets with the FORWARD rules \
enabled? From the netfilter machine itself? From a machine behind the netfilter \
machine?
Remember--packets generated locally by the netfilter machine *never* traverse the \
FORWARD chain.
I notice that you are transparently redirecting to a squid proxy on the same machine \
as netfilter.
If your tests of the FORWARD rules are from a machine behind netfilter, but you are \
trying to hit those blocked IP's with a web browser--the request for those web sites \
are locally generated by the squid proxy on the netfilter machine (see above).
The answer: If you're trying to block port 80 access to those IP's, and are using a \
transparent redirect to a squid proxy on the same machine as netfilter--your DROP \
rules need to be in the OUTPUT chain; not the FORWARD chain. Alternatively, you \
could just use squid to block access to the domain/URL/content-type...but that's a \
different mailing list...
-j
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic