Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Question is way this working. way i dont need open 80,443,53 on INPUT and OUTPUT have this working only with forwarding. so desktoplinux has internet with this rules. i know that is something about osi model, and that some functions of wireless card handling connections or has build in dhcpcd so it is not part of kernel. The logic is INPUT then ROUTING DECISION then FORWARDING so in this chace INPUT is already somehowe predefine.Can anyone know something about this
routerISP------>linuxPC1(act like router2)----->desktoplinux
--------------------wlp2s0-connect to wireless--------tap1
--------------------ens3-dhcpd server
so ens3 has dhcpd subnet 1.1.1.1, tap1 get ip from this interface.
yes i saw that but im confused with this prerouting, but now i saw that prerouting chain is always on ACCEPT is there a way to put it to DROP on defoult policy like INPUT or OUTPUT.
Actualy now i saw that you canot put drop on nat chain, bacouse he is not for filtering. But that doesent matter if packet pass prerouting he canot pass if he is not allowed on INPUT etc...
But way ACCEPT is allowed and why we use ACCEPT on PREROUTING.
yes i saw that but im confused with this prerouting, but now i saw that prerouting chain is always on ACCEPT is there a way to put it to DROP on defoult policy like INPUT or OUTPUT
Yes, you can, though the DROP target is more commonly associated with the "filter" table. You can set a default policy for any of the built-in chains, including PREROUTING.
iptables -t mangle -I PREROUTING -j DROP and this working i lost connection but is it possible use defoult policy like on INPUT OUTPUT chain i know its the same but you know i whant to know.
but when i put this mangle on drop -t nat stoped working it seems that packet if stop on mangle or raw doesent pass to nat. i try google and see man but i canot find have to put defoult policy to drop on nat.
iptables -P -t nat PREROUTING DROP = bad argument PREROUTING
The chain name and policy need to immediately follow the "-P" flag.
Code:
iptables -t nat -P PREROUTING DROP
Once a packet hits a DROP target, that's the end of it. It won't be processed any further. If you set a default policy of DROP, you'd better make sure that any packet you want to accept doesn't fall through to that default policy.
Also, doing filtering in tables other than "filter" is generally not recommended due to (unspecified) side effects. Also, packets for connections not in the NEW state don't pass through the "nat" table at all, and thus might slip by your DROP rule there.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.