[plug] forward rules

Jon Miller jlmiller at mmtnetworks.com.au
Sun Feb 23 22:00:07 WST 2003 

Okay thanks for that and jensz for the pointer, but one question when opening a port that a service require, do I put on the source and destination address of the server where the app sits or the firewall where the packet from the inside server is trying to get through and to.  In other words if I have an application that has on one server a console and on another server via VPN an agent, the agent is trying to reply to the console.  Do I list the servers that the service resides on or the firewall server.  
Example:
srvA (192.168.1.9)----FW(192.168.1.3)--INet---FW(192.168.0.1)---srvB(192.168.0.5)
each FW has 2 interfaces one for local lan and other for router.

Problem, using tcpdump and tethereal I do not see any packets nor ports information.


Jon

Jon L. Miller, MCNE, CNS
Director/Sr Systems Consultant
MMT Networks Pty Ltd
http://www.mmtnetworks.com.au

"I don't know the key to success, but the key to failure
 is trying to please everybody." -Bill Cosby



>>> bernard at blackham.com.au 9:13:14 PM 23/02/2003 >>>
On Sun, Feb 23, 2003 at 08:59:16PM +0800, Jon  Miller wrote:
> I need to ask a question for clarity and that is when creating a
> forwarding rule do I need to create 2 rules, one for outgoing and
> one for incoming? Is it a fair assumption to make that one without
> the other will fail?

Ahh, fun fun. Here goes...

In ipchains (2.2 kernels), all packets destined for the machine went
through the INPUT chain. All packets who's source address was owned
by machine traversed the OUTPUT chain. Packets who's source address
nor destination address were owned by the machine actually traversed
all three INPUT, FORWARD, and OUTPUT. Also, ip masquerading was done
in the FORWARD chain.

In iptables (2.4 & 2.5 kernels), only packets destined for the
machine go through INPUT. Only packets originating from the machine
go through OUTPUT. Packets that are just passing through traverse
the FORWARD chain. IP Masquerading and random packet mangling is
performed in tables PREROUTING and POSTROUTING depending whether
it's source mangling or ip masq (POSTROUTING), or destination
(PREROUTING).

You can compile in ipchains style filtering into a 2.4 kernel,
though it's not recommended.

I've seen a pretty diagram of exactly how all the chains work in
iptables that I was shown at LCA but I can't seem to find it again,
so somebody please correct me if I'm wrong! Rusty's Remarkably
Unreliable guides on Netfilter are a reall good tutorial on
how all of iptables fits together.

> Also in a dual-homed host does this mean each interface must have
> 2 rule set to handle the forwarding of packets meaning a total of
> 4 rules?

The actual routing and forwarding of packets happens automagically
(given echo 1 > /proc/sys/net/ipv4/ip_forward) so in an ideal
situation you don't need any rules. You only require iptables/chains
rules if you feel the inclination to filter passing traffic. If you
have a default deny-all policy, then you'll probably need quite a
few rules to explicitly allow what you want to go where. If you have
a default allow-all policy, it becomes remarkably simple!

HTH,

Bernard.

-- 
 Bernard Blackham 
 bernard at blackham dot com dot au

More information about the plug mailing list