Hy everybody everywhere,

We've a gateway with two NIC's:
eth0: 192.168.1.2 <-----> connected to modem/router -----> WAN
eth1: 192.168.0.0/24 ----------> LAN

Actually, as far as my understanding:

1. if a packet is destined to the gateway, it goes right to the INPUT chain and so on....
2. if a packet is destinet to the LAN, the route changes and the packet follows the FORWARD chain and so on ....

So now, if i want to stop a host which is on the LAN (192.168.0.10), i've done the following:

The host (192.168.0.10) stopped surfing, which is great, but i thought that we should apply the rule within the FORWARD chain instead since this host is on LAN and is not the gateway !!!

any suggestion please

Thanks for the reply
red

Correct. http://www.linuxhomenetworking.com/w...t_Flow_Diagram

Is the gateway running DNS for the LAN?
If so, the DNS requests will go to the gateway, via INPUT, and dropping them will prevent DNS requests from resolving.
If this is the case, can the host connect using an IP instead of DNS?

A transparent proxy redirection rule could have the same result.

1 members found this post helpful.

Thanks for the reply fukawil,


Well we have got both:
- hosts on LAN are using the Gateway as a DNS server (192.168.0.1) via the DHCPD, and
- we have got a transparent proxy
Please fukawil, what do you mean by:

Thanks again
red

If the gateway is handling DNS, then trying to connect/browse etc by using a IP address in the hosts browser, rather than domain name ie:
instead of
would most likely work..
So you would need to add the same rule to the FORWARD chain..

Oh yes, i see now
Well it works in both ways, yes.
either as you said "using an IP address or domain name" .
Thanks.

Just to be clear, i'm little confused:
The packet initially should traverse the FORWARD chain. Since the same packet needs the DNS which is located on the Gateway, so all the packet is just changing his way and is traversing the INPUT chain !!!!

is it right, i'm not sure about it ?

In other words, why i can not stop the host (192.168.0.10) just by saying:
or

red

Check out the picture in the link I posted above. It shows a flowchart of when a packet passes through each table/chain..

Because the transparent proxy rule you have, is intercepting the packets destined for the internet in nat/PREROUTING
the packet passes through the filter/INPUT chain to squid, BEFORE it gets to the filter/FORWARD chain, squid then sends the requests out to the internet..
So you need the filter/INPUT rule.

As I understand it, (and I stand to be corrected).
host sends a some packets asking the gateway to resolve google.com (filter/INPUT)
the gateway looks locally to resolve the name, if it cant, it asks nameservers in /etc/resolv (filter/OUTPUT)
once the gateway has obtained an answer it responds to the host with 74.125.237.82 (filter/OUTPUT)

the host then initiates a connection with 74.125.237.82.. which goes to the gateway (nat/PREROUTING)
these packets then hit the squid intercept rule, and get sent to squid running locally, (filter/INPUT)
it then gets processed by squid. and gets sent to its destination of 74.125.237.82


As I said though, I stand to be corrected on that..

Thank you very much, i am getting better now

According to the linked picture and if i follow your reasonning:
1) Network B >>> data for the firewall>>>filter INPUT (looking for DNS(resolving)
2) if the resolving is done
3) Network B >>>>>Network A however the NAT PREROUTING stops the packet (squid) and the packet will follows the other way:
Data for the firewall>>>>>>filter INPUT>>>>Network A

I think it make sence and is logic.
It is not obvious at all for some one who tries to learn (Netfilter) as an indepent follow (needs help).

Even if some one reads a lot of books, i think still an expert is needed (a least in the beginning) right !!

Thanks a lot for your patience

red

I am a welder by trade, and I figured it out. Largely from that link I keep referring people to.
If I can do it, anyone can..

Another handy note, when working on something remotely, (a VPS for example), before I load a new set of rules, or substantially change things. I always set up a cron/at job to load a very basic default set of rules, in the event I have one of those facepalm moments and DROP ssh without leaving it open to my IP, or something equally as stupid..