iptables: filter before DNAT

Question

iptables -t filter -A OUTPUT -d 1.2.3.4 -j DROP
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner abc -j DNAT --to 127.0.0.1:121

First rule does not work because nat it processed before filter. Any way to bypass it?

Filtering on nat forwarding is done through the FORWARD table which is processed after nat. — Julie Pelletier, Aug 04 '15 at 14:56

score 4 · Answer 1 · edited Apr 18 '19 at 12:05

4

You are not required to filter anything before DNAT. You ask the wrong question.

You should have a look at man iptables-extensions especially the module conntrack with its options --ctstate DNAT, --ctorigdst, and --ctorigdstport.

edited Apr 18 '19 at 12:05

neuro

165
6

answered May 14 '13 at 01:26

Hauke Laging

5,285
2
24
40

Do you think I am impressed by you ignoring what somebody with good `iptables` knowledge (in this case: me) told you? If you could assess what is "obviously" possible and what not with `iptables` then you would not ask such a beginner's question. Thus do as I told you: Have a look at the man page and realize how wrong you are. – Hauke Laging May 14 '13 at 01:41
2

This answer, while relatively short, was the solution to my problem of locking down docker containers to only certain source IPs and host destination ports. For a container `docker run -p 12380:80 nginx`, the command `iptables -I DOCKER -m conntrack --ctstate DNAT ! --ctorigsrc 172.17.8.1/32 --ctorigdstport 12380 -j REJECT` successfully restricted access so that only IP 172.17.8.1 (e.g. the Vagrant host) can access port 12380. In combination with a `PRE_DOCKER` chain dropping by default, this works better than any other solution out there. – sunside Nov 06 '15 at 22:53

score 0 · Answer 2 · answered May 14 '13 at 01:41

0

iptables -t nat -A OUTPUT -d 1.2.3.4 -j ACCEPT
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner abc -j DNAT --to 127.0.0.1:121

answered May 14 '13 at 01:41

Sandor Marton

1,564
9
12

iptables: filter before DNAT

2 Answers2