DROP or REJECT packets from PREROUTING NAT table in iptables

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












Goal is to allow only specific networks to access docker container services/ports running on my server.



Tried adding ACCEPT rules in to INPUT filter chain. That did not help, networks even without ACCEPT rule were still able to access docker service/port.



Tried adding ACCEPT and DROP rules in FORWARD chain, this works. But this has many disadvantages like: a. Rules getting deleted or re-positioned on docker restart b. Rules can become invalid, if docker containers are re-deployed and get different IPs at runtime



Plan is to BLOCK them before even reaching FORWARD chain.



So, added a new chain in NAT table, which redirects to DOCKER chain if traffic is from allowed network, if it is from other networks, added DNAT to a BLOCKHOLE IP. In PREROUTING, first rule is to jump to this chain.This seems to be working.



DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:0.0.0.1



But, instead of redirecting it to a BLOCKHOLE, can we somehow REJECT this traffic so that the client knows it is not allowed and hence refused.










share|improve this question





















  • Tried: DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:<Server-IP> And catch the same port traffic in INPUT filter and DROP/REJECT. Even then the client gets 'Connection Timedout'. So its same behavior even if we direct the traffic to a BLOCKHOLE.
    – Ram
    Aug 31 at 10:10














up vote
1
down vote

favorite












Goal is to allow only specific networks to access docker container services/ports running on my server.



Tried adding ACCEPT rules in to INPUT filter chain. That did not help, networks even without ACCEPT rule were still able to access docker service/port.



Tried adding ACCEPT and DROP rules in FORWARD chain, this works. But this has many disadvantages like: a. Rules getting deleted or re-positioned on docker restart b. Rules can become invalid, if docker containers are re-deployed and get different IPs at runtime



Plan is to BLOCK them before even reaching FORWARD chain.



So, added a new chain in NAT table, which redirects to DOCKER chain if traffic is from allowed network, if it is from other networks, added DNAT to a BLOCKHOLE IP. In PREROUTING, first rule is to jump to this chain.This seems to be working.



DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:0.0.0.1



But, instead of redirecting it to a BLOCKHOLE, can we somehow REJECT this traffic so that the client knows it is not allowed and hence refused.










share|improve this question





















  • Tried: DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:<Server-IP> And catch the same port traffic in INPUT filter and DROP/REJECT. Even then the client gets 'Connection Timedout'. So its same behavior even if we direct the traffic to a BLOCKHOLE.
    – Ram
    Aug 31 at 10:10












up vote
1
down vote

favorite









up vote
1
down vote

favorite











Goal is to allow only specific networks to access docker container services/ports running on my server.



Tried adding ACCEPT rules in to INPUT filter chain. That did not help, networks even without ACCEPT rule were still able to access docker service/port.



Tried adding ACCEPT and DROP rules in FORWARD chain, this works. But this has many disadvantages like: a. Rules getting deleted or re-positioned on docker restart b. Rules can become invalid, if docker containers are re-deployed and get different IPs at runtime



Plan is to BLOCK them before even reaching FORWARD chain.



So, added a new chain in NAT table, which redirects to DOCKER chain if traffic is from allowed network, if it is from other networks, added DNAT to a BLOCKHOLE IP. In PREROUTING, first rule is to jump to this chain.This seems to be working.



DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:0.0.0.1



But, instead of redirecting it to a BLOCKHOLE, can we somehow REJECT this traffic so that the client knows it is not allowed and hence refused.










share|improve this question













Goal is to allow only specific networks to access docker container services/ports running on my server.



Tried adding ACCEPT rules in to INPUT filter chain. That did not help, networks even without ACCEPT rule were still able to access docker service/port.



Tried adding ACCEPT and DROP rules in FORWARD chain, this works. But this has many disadvantages like: a. Rules getting deleted or re-positioned on docker restart b. Rules can become invalid, if docker containers are re-deployed and get different IPs at runtime



Plan is to BLOCK them before even reaching FORWARD chain.



So, added a new chain in NAT table, which redirects to DOCKER chain if traffic is from allowed network, if it is from other networks, added DNAT to a BLOCKHOLE IP. In PREROUTING, first rule is to jump to this chain.This seems to be working.



DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:0.0.0.1



But, instead of redirecting it to a BLOCKHOLE, can we somehow REJECT this traffic so that the client knows it is not allowed and hence refused.







iptables nat






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Aug 31 at 9:36









Ram

126113




126113











  • Tried: DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:<Server-IP> And catch the same port traffic in INPUT filter and DROP/REJECT. Even then the client gets 'Connection Timedout'. So its same behavior even if we direct the traffic to a BLOCKHOLE.
    – Ram
    Aug 31 at 10:10
















  • Tried: DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:<Server-IP> And catch the same port traffic in INPUT filter and DROP/REJECT. Even then the client gets 'Connection Timedout'. So its same behavior even if we direct the traffic to a BLOCKHOLE.
    – Ram
    Aug 31 at 10:10















Tried: DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:<Server-IP> And catch the same port traffic in INPUT filter and DROP/REJECT. Even then the client gets 'Connection Timedout'. So its same behavior even if we direct the traffic to a BLOCKHOLE.
– Ram
Aug 31 at 10:10




Tried: DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:<Server-IP> And catch the same port traffic in INPUT filter and DROP/REJECT. Even then the client gets 'Connection Timedout'. So its same behavior even if we direct the traffic to a BLOCKHOLE.
– Ram
Aug 31 at 10:10















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f465973%2fdrop-or-reject-packets-from-prerouting-nat-table-in-iptables%23new-answer', 'question_page');

);

Post as a guest



































active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f465973%2fdrop-or-reject-packets-from-prerouting-nat-table-in-iptables%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?