[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    RE: droping in forward/postrouting
From:       "Jason Opperisano" <Jopperisano () alphanumeric ! com>
Date:       2004-07-31 23:58:38
Message-ID: D5C9032B2B09C64EA2409D6214E91AC9051216 () asimail2 ! alphanumeric ! com
[Download RAW message or body]

> Yeah its Drops the packets in PREROUTING, however not Dropping the
> same while tries with FOWARD.
> here are my PREROUTING rules (1st one is of POSTROUTING)

I think someone already asked this, but I can't remember if I ever saw an answer.

How are you testing that netfilter is not dropping the packets with the FORWARD rules \
enabled?  From the netfilter machine itself?  From a machine behind the netfilter \
machine?

Remember--packets generated locally by the netfilter machine *never* traverse the \
FORWARD chain.

I notice that you are transparently redirecting to a squid proxy on the same machine \
as netfilter.

If your tests of the FORWARD rules are from a machine behind netfilter, but you are \
trying to hit those blocked IP's with a web browser--the request for those web sites \
are locally generated by the squid proxy on the netfilter machine (see above).

The answer:  If you're trying to block port 80 access to those IP's, and are using a \
transparent redirect to a squid proxy on the same machine as netfilter--your DROP \
rules need to be in the OUTPUT chain; not the FORWARD chain.  Alternatively, you \
could just use squid to block access to the domain/URL/content-type...but that's a \
different mailing list...

-j


[prev in list] [next in list] [prev in thread] [next in thread]