On 10.01.2020 00:46, Jim Popovitch wrote: > Hello! > > Is there a way to have iptables DROP before PREROUTING. > > Consider this bit of rules on a home firewall, where 24.126.xx.yy is my > home external IP address. > > --------- > iptables -P INPUT DROP > iptables -P OUTPUT ACCEPT > iptables -A INPUT -i lo -j ACCEPT > iptables -A OUTPUT -o lo -j ACCEPT > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > iptables -A INPUT -s 23.132.208.0/24 -j DROP > > # DNAT inbound SSH to home PC > iptables -A FORWARD -i eth0 -d 192.168.1.10 -m state --state > NEW,ESTABLISHED,RELATED -j ACCEPT > iptables -t nat -A PREROUTING -p tcp -d 24.126.xx.yy --dport 12345 -j DNAT > --to-destination 192.168.1.10 > iptables -t nat -A POSTROUTING -s 192.168.1.10 ! -d 192.168.1.0/24 -j SNAT > --to 24.126.xx.yy > > iptables -A INPUT -j DROP > -------- > > What I want to do is prevent 23.132.208.0/24 from accessing a service > (port 12345) on my home PC. The problem is, the REROUTING rules preceed > the DROP rule, so the connections get through. Thanks for any > suggestions/help. > > > -Jim P. > > > > I recommend you to look at this article. [1] It provides pretty good explanations and complete iptables flow chart. It will help you to understand how iptables work internally, so you will have better understanding of where to place your rules and what those rules should be.
The answer to your question, I believe, should look like this: "iptables -I FORWARD -s 23.132.208.0/24 -j DROP" This rule will be placed at first line in Forward chain of Filter table and will Drop all traffic that comes from 23.132.208.0/24 subnet, after it leaves Prerouting chain of Nat table. [1] https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TRAVERSINGOFTABLES -- With kindest regards, Alexander. ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org ⠈⠳⣄⠀⠀⠀⠀
