DROP or REJECT packets from PREROUTING NAT table in iptables
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
Goal is to allow only specific networks to access docker container services/ports running on my server.
Tried adding ACCEPT rules in to INPUT filter chain. That did not help, networks even without ACCEPT rule were still able to access docker service/port.
Tried adding ACCEPT and DROP rules in FORWARD chain, this works. But this has many disadvantages like: a. Rules getting deleted or re-positioned on docker restart b. Rules can become invalid, if docker containers are re-deployed and get different IPs at runtime
Plan is to BLOCK them before even reaching FORWARD chain.
So, added a new chain in NAT table, which redirects to DOCKER chain if traffic is from allowed network, if it is from other networks, added DNAT to a BLOCKHOLE IP. In PREROUTING, first rule is to jump to this chain.This seems to be working.
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:0.0.0.1
But, instead of redirecting it to a BLOCKHOLE, can we somehow REJECT this traffic so that the client knows it is not allowed and hence refused.
iptables nat
add a comment |Â
up vote
1
down vote
favorite
Goal is to allow only specific networks to access docker container services/ports running on my server.
Tried adding ACCEPT rules in to INPUT filter chain. That did not help, networks even without ACCEPT rule were still able to access docker service/port.
Tried adding ACCEPT and DROP rules in FORWARD chain, this works. But this has many disadvantages like: a. Rules getting deleted or re-positioned on docker restart b. Rules can become invalid, if docker containers are re-deployed and get different IPs at runtime
Plan is to BLOCK them before even reaching FORWARD chain.
So, added a new chain in NAT table, which redirects to DOCKER chain if traffic is from allowed network, if it is from other networks, added DNAT to a BLOCKHOLE IP. In PREROUTING, first rule is to jump to this chain.This seems to be working.
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:0.0.0.1
But, instead of redirecting it to a BLOCKHOLE, can we somehow REJECT this traffic so that the client knows it is not allowed and hence refused.
iptables nat
Tried: DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:<Server-IP> And catch the same port traffic in INPUT filter and DROP/REJECT. Even then the client gets 'Connection Timedout'. So its same behavior even if we direct the traffic to a BLOCKHOLE.
â Ram
Aug 31 at 10:10
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
Goal is to allow only specific networks to access docker container services/ports running on my server.
Tried adding ACCEPT rules in to INPUT filter chain. That did not help, networks even without ACCEPT rule were still able to access docker service/port.
Tried adding ACCEPT and DROP rules in FORWARD chain, this works. But this has many disadvantages like: a. Rules getting deleted or re-positioned on docker restart b. Rules can become invalid, if docker containers are re-deployed and get different IPs at runtime
Plan is to BLOCK them before even reaching FORWARD chain.
So, added a new chain in NAT table, which redirects to DOCKER chain if traffic is from allowed network, if it is from other networks, added DNAT to a BLOCKHOLE IP. In PREROUTING, first rule is to jump to this chain.This seems to be working.
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:0.0.0.1
But, instead of redirecting it to a BLOCKHOLE, can we somehow REJECT this traffic so that the client knows it is not allowed and hence refused.
iptables nat
Goal is to allow only specific networks to access docker container services/ports running on my server.
Tried adding ACCEPT rules in to INPUT filter chain. That did not help, networks even without ACCEPT rule were still able to access docker service/port.
Tried adding ACCEPT and DROP rules in FORWARD chain, this works. But this has many disadvantages like: a. Rules getting deleted or re-positioned on docker restart b. Rules can become invalid, if docker containers are re-deployed and get different IPs at runtime
Plan is to BLOCK them before even reaching FORWARD chain.
So, added a new chain in NAT table, which redirects to DOCKER chain if traffic is from allowed network, if it is from other networks, added DNAT to a BLOCKHOLE IP. In PREROUTING, first rule is to jump to this chain.This seems to be working.
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:0.0.0.1
But, instead of redirecting it to a BLOCKHOLE, can we somehow REJECT this traffic so that the client knows it is not allowed and hence refused.
iptables nat
iptables nat
asked Aug 31 at 9:36
Ram
126113
126113
Tried: DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:<Server-IP> And catch the same port traffic in INPUT filter and DROP/REJECT. Even then the client gets 'Connection Timedout'. So its same behavior even if we direct the traffic to a BLOCKHOLE.
â Ram
Aug 31 at 10:10
add a comment |Â
Tried: DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:<Server-IP> And catch the same port traffic in INPUT filter and DROP/REJECT. Even then the client gets 'Connection Timedout'. So its same behavior even if we direct the traffic to a BLOCKHOLE.
â Ram
Aug 31 at 10:10
Tried: DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:<Server-IP> And catch the same port traffic in INPUT filter and DROP/REJECT. Even then the client gets 'Connection Timedout'. So its same behavior even if we direct the traffic to a BLOCKHOLE.
â Ram
Aug 31 at 10:10
Tried: DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:<Server-IP> And catch the same port traffic in INPUT filter and DROP/REJECT. Even then the client gets 'Connection Timedout'. So its same behavior even if we direct the traffic to a BLOCKHOLE.
â Ram
Aug 31 at 10:10
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f465973%2fdrop-or-reject-packets-from-prerouting-nat-table-in-iptables%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Tried: DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:<Server-IP> And catch the same port traffic in INPUT filter and DROP/REJECT. Even then the client gets 'Connection Timedout'. So its same behavior even if we direct the traffic to a BLOCKHOLE.
â Ram
Aug 31 at 10:10