Latest LQ Deal: Latest LQ Deals
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 01-09-2007, 10:31 PM   #1
LQ Newbie
Registered: Nov 2006
Posts: 3

Rep: Reputation: 0
How to make iptables(NAT) not to send RST back


I have some questions about using iptables to make a NAT.
Now my policy is

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISH -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

Where eth0 is my internal network and eth1 is external network.

And with this, once my NAT has got unsolicited TCP-SYN, it will reply back with TCP-RST.
Is it possible to make it just drop this SYN without response the RST back ?

Old 01-10-2007, 06:14 AM   #2
Senior Member
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
If this packet was not related to an already MASQUERADEd connection (as I think would be true of all SYN packets), NAT would leave it alone and it would be handled by the INPUT chain. So if you wanted to stealth everything not MASQUERADEd that comes in on eth1, you could

iptables -A INPUT -i eth1 -j DROP

if you wanted to just drop SYN packets, you could

iptables -A INPUT -i eth1 -p tcp --syn -j DROP

or if you had traffic from the local computer you wanted to let back and forth to the internet you could

iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -j DROP

Of course, there are other variations.

EDIT: If you want to filter NATted traffic, one thing you need to be aware of is that after the initial outgoing packet gets NATted, no other packets for that connection, in either direction, pass through the POSTROUTING chain. So any filtering would have to be done in the FORWARD chain.

Last edited by blackhole54; 01-10-2007 at 06:19 AM.
Old 01-10-2007, 07:46 AM   #3
LQ Newbie
Registered: Nov 2006
Posts: 3

Original Poster
Rep: Reputation: 0
Thank you very much,

Actually, I am now testing about NAT Traversal. And lots of techniques that use to punch NAT's hole is not allow to accept RST back because the hole is going to be closed if RST come.

Thx again, I will try to make it as your suggestion


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES : build NAT using IPTABLES joseph Linux - Networking 4 04-23-2004 05:08 AM
qmail behind nat - can get mails but can't send * i googled ehpserver Linux - Networking 1 10-22-2003 08:16 PM
senadmail-behind NAT-can receive-but faild to send mails ehpserver Linux - Networking 0 09-26-2003 11:48 AM
Can send mail out, just can't get any back... debaire Linux - Networking 14 05-22-2003 11:00 PM
Send messages back and forth JCZorch Linux - Networking 4 12-06-2002 03:56 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:23 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration