Hello! Is there a way to have iptables DROP before PREROUTING.
Consider this bit of rules on a home firewall, where 24.126.xx.yy is my home external IP address. --------- iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s 23.132.208.0/24 -j DROP # DNAT inbound SSH to home PC iptables -A FORWARD -i eth0 -d 192.168.1.10 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A PREROUTING -p tcp -d 24.126.xx.yy --dport 12345 -j DNAT --to-destination 192.168.1.10 iptables -t nat -A POSTROUTING -s 192.168.1.10 ! -d 192.168.1.0/24 -j SNAT --to 24.126.xx.yy iptables -A INPUT -j DROP -------- What I want to do is prevent 23.132.208.0/24 from accessing a service (port 12345) on my home PC. The problem is, the REROUTING rules preceed the DROP rule, so the connections get through. Thanks for any suggestions/help. -Jim P.
