Iptables PREROUTING and INPUT - how to "make friends"?

I

Ivan Gaidamakin2013-12-12 23:00:16

linux

Ivan Gaidamakin, 2013-12-12 23:00:16

Good evening!
Actually such a question.
How can I configure traffic redirection (PREROUTING) so that it first goes through the "Processing" INPUT checks?
I am currently using this rule:

-A PREROUTING -d 144.76.249.14 -j DNAT --to-destination 10.0.0.34

The EU-but INPUT does not "touch" it, because for obvious reasons, PREROUTING goes before INPUT.
Looking forward to your reply, thanks in advance!

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

C

cjey, 2013-12-13
@MeGaPk

Create a new Filters chain and add to this chain all the rules from the INPUT chain
iptables -N Filters
iptalbes -I Filters -j ACCEPT
Add a redirect rule to the Filters chain to the INPUT chain
iptables -I INPUT -j Filters
Add a packet forwarding rule to the Filters chain to the FORWARD chain
iptables -I FORWARD -j Filters

S

saygo, 2013-12-13
@saygo

Excuse me, why not check in the same Prerouting?
The traffic that is intended for the machine goes to Input, so no way.
Here, the logic is that the order and purpose of the traffic cannot be violated.

A

alz, 2013-12-13
@alz

Create a custom validation chain and redirect to it from the INPUT and FORWARD chains

I

Ilya Evseev, 2013-12-13
@IlyaEvseev

How can I configure traffic redirection (PREROUTING) so that it first goes through the "Processing" INPUT checks?

In short, no way. Search Google images for "iptables packet flow".
PREROUTING is called so precisely because it is called before the routing decision.
INPUT is called after the routing decision has already passed.
Previously, the NAT table had the ability to filter packets, now it has been removed (IMHO in vain).

I

Ivan Gaidamakin, 2013-12-13
@MeGaPk

And how then can you redirect traffic after passing INPUT`a?