Koozali.org: home of the SME Server
Obsolete Releases => SME Server 9.x => Topic started by: Catton on January 24, 2019, 10:19:41 PM
-
I have /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff.
as example - in it I have
/sbin/iptables -A INPUT -s 160.0.0.0/5 -j DROP
and I do see it in iptables -nL|less
Chain INPUT (policy DROP)
DROP all -- 160.0.0.0/5 0.0.0.0/0
and my question:
Will this also block 160.0.0.0/5 going through the 'Chain FORWARD' and Chain ForwardedTCP_18579 ?
Thank you all in advance
-
en court, la réponse est non à ta question.
INPUT est pour une entrée sur le serveur, FORWARD pour un paquet à destination d’ailleurs, le LAN ici via NAT.
cela va se décider principalement en fonction des chaines PREROUTING des tables mangle, raw et nat
(https://i.stack.imgur.com/zF1uo.jpg)
(https://i.stack.imgur.com/68Cvx.png)
# iptables -t raw -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
# iptables -t nat -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PortForwarding all -- anywhere anywhere
SMTPProxy tcp -- anywhere anywhere tcp dpt:smtp
TransProxy tcp -- anywhere anywhere tcp dpt:http
# iptables -t mangle -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
la question est donc veux tu empêcher la communication vers le serveur ou vers une ressource du LAN (une de celles autorisées par le port forwarding) ?
ou bien empecher une ressource du LAN de communiquer avec ces IP ?
-
Jean-Philippe,
Thank you. That helps.
Question:
Can I use the 40DenyRiffRaff method to block IPs to the server (input chain) and to the LAN (forward chain) with a one line command?
Or do I need to do both ? :
/sbin/iptables -A INPUT -s 160.0.0.0/5 -j DROP # to block to the server
/sbin/iptables -A FORWARD -s 160.0.0.0/5 -j DROP # to block to the port forwarding
-
yes