[plug] forward rules

Bernard Blackham bernard at blackham.com.au
Sun Feb 23 21:13:14 WST 2003 

On Sun, Feb 23, 2003 at 08:59:16PM +0800, Jon  Miller wrote:
> I need to ask a question for clarity and that is when creating a
> forwarding rule do I need to create 2 rules, one for outgoing and
> one for incoming? Is it a fair assumption to make that one without
> the other will fail?

Ahh, fun fun. Here goes...

In ipchains (2.2 kernels), all packets destined for the machine went
through the INPUT chain. All packets who's source address was owned
by machine traversed the OUTPUT chain. Packets who's source address
nor destination address were owned by the machine actually traversed
all three INPUT, FORWARD, and OUTPUT. Also, ip masquerading was done
in the FORWARD chain.

In iptables (2.4 & 2.5 kernels), only packets destined for the
machine go through INPUT. Only packets originating from the machine
go through OUTPUT. Packets that are just passing through traverse
the FORWARD chain. IP Masquerading and random packet mangling is
performed in tables PREROUTING and POSTROUTING depending whether
it's source mangling or ip masq (POSTROUTING), or destination
(PREROUTING).

You can compile in ipchains style filtering into a 2.4 kernel,
though it's not recommended.

I've seen a pretty diagram of exactly how all the chains work in
iptables that I was shown at LCA but I can't seem to find it again,
so somebody please correct me if I'm wrong! Rusty's Remarkably
Unreliable guides on Netfilter are a reall good tutorial on
how all of iptables fits together.

> Also in a dual-homed host does this mean each interface must have
> 2 rule set to handle the forwarding of packets meaning a total of
> 4 rules?

The actual routing and forwarding of packets happens automagically
(given echo 1 > /proc/sys/net/ipv4/ip_forward) so in an ideal
situation you don't need any rules. You only require iptables/chains
rules if you feel the inclination to filter passing traffic. If you
have a default deny-all policy, then you'll probably need quite a
few rules to explicitly allow what you want to go where. If you have
a default allow-all policy, it becomes remarkably simple!

HTH,

Bernard.

-- 
 Bernard Blackham 
 bernard at blackham dot com dot au

More information about the plug mailing list