[ILUG-BOM] Iptables Query

steve steve at lonetwin.net
Thu Aug 6 10:40:17 IST 2009


On 08/06/2009 01:35 AM, Rony Bill wrote:
> Hello,
>
> I have to setup a firewall box for someone ASAP and I was going through the
> tutorials at
>
> http://forums.debian.net/viewtopic.php?t=16166
>
> I just have a small query as I am confused with the directions of packets.
> When setting a rule for the INPUT table, there is a source and destination
> setting. From the examples given in the above tutorial, when an incoming
> packet is received, the source is a local IP and destination is the world.
> Shouldn´t the incoming packet´s source be the world and destination the
> local LAN IP address? Could the experts please clarify? Otherwise it seems
> quite easy to setup.
>

I assume you meant the examples such as these in the guide:
     iptables -A INPUT -p tcp --dport 22 -s 192.168.0.3 -j ACCEPT

Firstly the terminology in the guide appears to be incorrect. The guide refers 
to INPUT, OUTPUT and FORWARD as 'table'. These are in fact termed as 'chains' 
within the 'filter' table (which is the default table for modification when -t 
is not provided. There are other tables like 'nat', 'mangle' ..etc)

Think of tables as a grouping of 'what' you want to do with the packets (filter, 
nat, mangle) and chains as 'when' you want to do it (INPUT, OUTPUT, FOWRARD for 
filter, PREROUTING, POSTROUTING for nat ...etc)

So as far as the filter table is concerned, in this context, there isn't any 
difference between your 'home' network and the 'world' network. The rule will 
just be matched against the networks mentioned in the rules. Think about it a 
bit. Your rules might even mention a src/dest addresses on networks that none of 
your interfaces are even part of.

Mentioning an action in the INPUT chain simply means that the packet would be 
examined when received and filtered accordingly.

HTH,
regards,
- steve

-- 
          --------------------
random non tech spiel: http://lonetwin.blogspot.com/
tech randomness: http://lonehacks.blogspot.com/
what i'm stumbling into: http://lonetwin.stumbleupon.com/
          --------------------


More information about the Linuxers mailing list