Re: [Devil-Linux-discuss] iptables_warning

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Quoting Oliver Niesner <dig...@gm...>:

> Today i noticed that we have some deprecated lines in the
> default firewall scripts (firewall.rules.2nic,firewall.rules.3nic)
>
>
> # Prevent NetBIOS and Samba from leaking.
> ${IPTABLES} -t nat -A PREROUTING -p TCP --dport 135 -j DROP
> ${IPTABLES} -t nat -A PREROUTING -p UDP --dport 135 -j DROP
> ${IPTABLES} -t nat -A PREROUTING -p TCP --dport 137:139 -j DROP
> ${IPTABLES} -t nat -A PREROUTING -p UDP --dport 137:139 -j DROP
> ${IPTABLES} -t nat -A PREROUTING -p TCP --dport 445 -j DROP
> ${IPTABLES} -t nat -A PREROUTING -p UDP --dport 445 -j DROP
>
>
> If this script is started iptables reports:
>
> The "nat" table is not intended for filtering, hence the use of DROP is
> deprecated and will permanently be disabled in the next iptables
> release. Please adjust your scripts.
>
> I think we should fix this to avoid future problems.
> I personally use the INPUT and OUTPUT Chains for this -
> any other suggestions?

I agree, this should go into at least the INPUT one.
If we want to prevent any leaking, then we should add it to FORWARD  
and OUTPUT also.

Opinions ?

-- 

Regards
   Heiko Zuerker
   http://www.devil-linux.org

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.