Greetings Experts

Firewalls seem to be taking up all of my time this past couple of weeks.

I have LINUX box acting as firewall, that is all it does.  NAT and filtering.  The NAT comes first (in the iptables) then the filtering..  that is some ip addresses that I want to DROP.  

The way I have this set up it appears that the routing is taking place before the DROP, is this the way it does in fact happen?  Can I just rearrange the sequence in the iptables?  Or when I restart iptables will it just put it back anyway?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
iptables-save >a-file   #will store your tables to a file
iptables-resote <a-file #will restore them from a file.

iptables works like (through the system, if ip_forward is enabled)

  PREROUTING (-t nat)  (here DNAT can take place)
  FORWARD  (-t filter) (just filtering)
  POSTROUTING (-t nat)  (here SNAT can take place)

Access into the system:
  PREROUTING (-t nat)   (for DNAT)
  INPUT (-t filter)

Access out of the system
  OUTPUT (-t filter)
  OUTPUT (-t nat)  (for SNAT)

  the routing decision is taken, for either INPUT or FORWARD.

The dropping of packets SHOULD be done in INPUT, OUTPUT or FORWARD.
as the -t NAT tables are only accessed for the first packet of a tcpip-train.
the answer there is used for all other packets.

iptables -I FORWARD -s -j DROP
iptables -I INPUT   -s -j DROP
iptables -I FORWARD -d -j DROP
iptables -I OUTPUT  -d -j DROP

will block anything from or to

If you need more information then you need to provide more background information
about your question.

Kind regards,
for saving iptables information user followinf command

# iptbales-save  > /etc/myfirewall

 for restore write this command to /etc/rc.loca

1) edit /etc/rc.local with type   vi /etc/rc.loca
2) add this command:  iptables-restore < /etc/myfirewall
3) :wq

for DROP ips if   th0  is connected to internet and eth1 connected to LAN

iptables --flush -t nat
iptables --flush

echo 1 > /proc/sys/net/ipv4/ip_forward

# valid ip assigne to eth0

iptables -A FORWARD -s  x.y.z.q  -j DROP
iptables -A INPUT -i eth0  -s  x.y.z.q  -j DROP
iptables -A INPUT -i eth1  -s  x.y.z.q  -j DROP
# x.z.y.q is ip for filtering

iptables -t nat -A POSTROUTING -o eth0  -j SNAT --to $natip

good luck

Len45Author Commented:
I guess I did not make myself clear...

I have prerouting and postrouting and that is working fine.

When I do an iptables-save and then look cat the iptable the pre/post routing is listed then the DROP lines are listed.

It seems that traffic is "forwarded" to the internal IP's before the DROP is processed.  Is this the way it actually happens, which would mean that I would have to have the DROP on the machine that the traffic ends up on.

nociSoftware EngineerCommented:
When a rule matches with either SNAT, DNAT or ACCEPT then processing is done.
no next rule will execute.
So if you want to drop it BEFORE SNAT/DNAT then you first have to drop a packet.
(well you'll dropping NAT)

Eitherway DROP/ACCEPT for accepting traffic or not rules are for FILTERS

(INPUT, OUTPUT, FORWARD) chains on iptables -t filter, not on the -t nat (PREROUTING, OUTPUT, POSTROUTING) chains.

In the forward chain add filters like:

iptables -I FORWARD

with the right matching (-s for source address, -d for destination address, -i input interface, -o output interface, --dport for destionation port,
-p tcp + --syn for tcp start packets
-p udp           for udp packets
-m state for state management etc.
and ACCEPT, DROP, REJECT, LOG them there...

Gabriel OrozcoSolution ArchitectCommented:
I think I understand what you want.

you need this address to be stop BEFORE it's redirected. you already tried but look at your rules and the DROP is AFTER the rule that redirects/forwards the client.

iptables read it's configuration from top to bottom. you just need to move the DROP rule to be BEFORE the redirection/forward one.

note that you can also DROP an IP on the PREROUTING nat table, so it will be drop BEFORE any redirect. this is an example:

# drops packets goind to a web server not on the internal network (
iptables -I PREROUTING -t nat -s ip.not.allowed -p tcp --dport 80 -j DROP
#redirects all packets to web to squid proxy:
iptables -I PREROUTING -t nat -s -p tcp --dport 80 -j REDIRECT --to-port 3128

this will stop "ip.not.allowed" ip address to access the web thru your linux firewall.

is this what you want?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.