In what table/ruleset can I filter outbound [forwarded] packets after
they've been subjected to any mangling (ie. NAT)? I want to block
anything with an improper source or destination address (ie. 192.168.1.1,
as per RFC1918). But I do SNAT some of these on their way out, and those
I want to permit.
Any rule I've tried sees the source address before SNAT. What rule would
see the source address after SNAT?
I can catch most of these in nat.POSTROUTING; anything I don't SNAT
earlier in the ruleset can be checked. But that means that there's
nothing checking packets after SNAT, and what if I make an error and SNAT
to an improper address?
Any suggestions?
Thanks...
Andrew
|
Similar Threads
Linear Mode
