[nos-bbs] iptables and jnos question

Michael Fox (N6MEF) n6mef at mefox.org
Fri Jul 24 16:29:38 EDT 2015 

Jerome,

 

Looking at your request again, it’s not clear what you’re trying to do.  You say “at the beginning of the forward chain” but you use “-A” (append … as in, at the end).  You use “-i tun0” which would be packets coming into linux on tun0 (from JNOS), as opposed to packets from linux going out tun0 to JNOS.

 

If what you really want to do is:

1)  insert a rule at the beginning of the forward chain

2)  filter packets outbound from linux to JNOS 

2)  drop if source address is 44.1.1.1

 

And assuming

a)  you’ve got linux doing the gateway function

b)  the interace between linux and JNOS is tun0

 

Then:

 

iptables –I FORWARD –o tun0 –s 44.1.1.1 –j DROP

 

If that’s not what you mean, then perhaps you could state what you mean more precisely.

 

Michael

 

 

 

From: nos-bbs [mailto:nos-bbs-bounces at tapr.org] On Behalf Of Michael Fox - N6MEF
Sent: Friday, July 24, 2015 12:46 PM
To: jerome schatten <romers at shaw.ca>; nos-bbs <nos-bbs at tapr.org>
Subject: Re: [nos-bbs] iptables and jnos question

 

Jerome,

If you filter the input table, then the packet is still in the encapsulated state.  You're looking and the tunnel addresses.

 

You can filter on the forwarding table, on the tunnel between linux and jnos.  At that point, the packet has been decapsulated and the original IP is the source address.

 

Michael

N6MEF

 

 

 

Sent from my Verizon Wireless 4G LTE smartphone

-------- Original message --------
From: jerome schatten <romers at shaw.ca <mailto:romers at shaw.ca> > 
Date: 07/24/2015 9:06 AM (GMT-08:00) 
To: nos-bbs <nos-bbs at tapr.org <mailto:nos-bbs at tapr.org> > 
Subject: [nos-bbs] iptables and jnos question 

Hi...

I have been trying to construct a firewall rule to filter on the 44 
address of an ipip encapsulated packet rather than the 'carrier 
address'. I've tried all sorts of variations of:

iptables -A FORWARD -i tun0 -s 44.x.x.x -j DROP

at the beginning of the forward chain with no success. I'm beginning to 
get the feeling that it is may not possible to filter on the 
encapsulated ip.

Thanks for any suggestions,
jerome - ve7ass


_______________________________________________
nos-bbs mailing list
nos-bbs at tapr.org <mailto:nos-bbs at tapr.org> 
http://www.tapr.org/mailman/listinfo/nos-bbs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tapr.org/pipermail/nos-bbs_lists.tapr.org/attachments/20150724/5c440a6f/attachment.html>

More information about the nos-bbs mailing list