On Thu, Oct.13. 09:08 +0200, Gerald Schnabel wrote:
> Hallo,
>
> wie kann ich an meinem WRT mit HNA edonkey wirkungsvoll blockieren?
>
> iptables -A OUTPUT tcp -m dport 4662 -j DROP
> iptables -A OUTPUT tcp -m sport 4662 -j DROP
> iptables -A INPUT tcp -m dport 4662 -j DROP
> iptables -A INPUT tcp -m sport 4662 -j DROP
>
> zeigt irgendwie keine Wirkung. Werden die iptables Regeln chronologisch wie im
> Aufruf iptables -L angezeigt abgearbeitet?
> Meine Internetverbindung ist ziemlich lahm geworden und ein Sniffer hat
> angezeigt, das diverse Pakete über den Port 4662 gehen.
Hallo Gerald,
vielleicht hilft Dir folgendes Diagramm in ASCII-art, das den packet-flow
ganz gut darstellt.
Wie zu erkennen ist, gibt es zwei Wege, einmal den für lokales processing
und einen zweiten, den "FORWARD"-Zweig, den Marek's Zeilen manipulieren.
Gruß, marco
Network
-----------+-----------
|
+-------+------+
| mangle |
| PREROUTING | <- MARK REWRITE
+-------+------+
|
+-------+------+
| nat |
| PREROUTING | <- DEST REWRITE (pre-routing DNAT)
| |
| | Port forwarding
| | load sharing
| | transparent proxying
+-------+------+
|
(You can add here ipchains FILTER and QoS Ingress)
|
+-------+------+ Policy rule database
| PRDB | <- controlled by ip rule
| |
packet is for | | packet is for
this address | INPUT | another address
+--------------+ ROUTING +---------------+
| +--------------+ |
+-------+------+ |
| filter | |
| INPUT | use "-i dev" |
+-------+------+ |
| |
| |
| |
///////////////////////////// |
/ Local / |
/ Process / |
///////////////////////////// |
| |
| |
| |
+-------+------+ |
| OUTPUT | +-------+-------+
| ROUTING | | filter |
+-------+------+ | FORWARD | use "-o dev"
| +-------+-------+
+-------+------+ |
| mangle | |
| OUTPUT | MARK REWRITE |
+-------+------+ |
| |
+-------+------+ |
| nat | |
| OUTPUT | DEST REWRITE (output DNAT) |
+-------+------+ |
| |
+-------+------+ |
| filter | |
| OUTPUT | use "-o dev" |
+-------+------+ |
| |
| |
+---------------------+-----------------------+
|
(Place for ipchains FILTER)
|
+-------+------+
| nat |
| POSTROUTING | SOURCE REWRITE (post-routing SNAT)
+-------+------+
|
|
+-------+------+
| TRAFFIC |
| QUEUE | <- controlled by tc
+-------+------+
|
|
-----------+-----------
Network
_______________________________________________
Berlin mailing list
Berlin at olsrexperiment.de
https://olsrexperiment.de/cgi-bin/mailman/listinfo/berlin