[nos-bbs] iptables and jnos question
Michael Fox (N6MEF)
n6mef at mefox.org
Fri Jul 24 16:29:38 EDT 2015
Jerome,
Looking at your request again, it’s not clear what you’re trying to do. You say “at the beginning of the forward chain” but you use “-A” (append … as in, at the end). You use “-i tun0” which would be packets coming into linux on tun0 (from JNOS), as opposed to packets from linux going out tun0 to JNOS.
If what you really want to do is:
1) insert a rule at the beginning of the forward chain
2) filter packets outbound from linux to JNOS
2) drop if source address is 44.1.1.1
And assuming
a) you’ve got linux doing the gateway function
b) the interace between linux and JNOS is tun0
Then:
iptables –I FORWARD –o tun0 –s 44.1.1.1 –j DROP
If that’s not what you mean, then perhaps you could state what you mean more precisely.
Michael
From: nos-bbs [mailto:nos-bbs-bounces at tapr.org] On Behalf Of Michael Fox - N6MEF
Sent: Friday, July 24, 2015 12:46 PM
To: jerome schatten <romers at shaw.ca>; nos-bbs <nos-bbs at tapr.org>
Subject: Re: [nos-bbs] iptables and jnos question
Jerome,
If you filter the input table, then the packet is still in the encapsulated state. You're looking and the tunnel addresses.
You can filter on the forwarding table, on the tunnel between linux and jnos. At that point, the packet has been decapsulated and the original IP is the source address.
Michael
N6MEF
Sent from my Verizon Wireless 4G LTE smartphone
-------- Original message --------
From: jerome schatten <romers at shaw.ca <mailto:romers at shaw.ca> >
Date: 07/24/2015 9:06 AM (GMT-08:00)
To: nos-bbs <nos-bbs at tapr.org <mailto:nos-bbs at tapr.org> >
Subject: [nos-bbs] iptables and jnos question
Hi...
I have been trying to construct a firewall rule to filter on the 44
address of an ipip encapsulated packet rather than the 'carrier
address'. I've tried all sorts of variations of:
iptables -A FORWARD -i tun0 -s 44.x.x.x -j DROP
at the beginning of the forward chain with no success. I'm beginning to
get the feeling that it is may not possible to filter on the
encapsulated ip.
Thanks for any suggestions,
jerome - ve7ass
_______________________________________________
nos-bbs mailing list
nos-bbs at tapr.org <mailto:nos-bbs at tapr.org>
http://www.tapr.org/mailman/listinfo/nos-bbs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tapr.org/pipermail/nos-bbs_lists.tapr.org/attachments/20150724/5c440a6f/attachment.html>
More information about the nos-bbs
mailing list