[ILUG-BOM] Iptables Query

steve steve at lonetwin.net
Fri Aug 7 12:07:00 IST 2009

On 08/06/2009 03:18 PM, Rony wrote:
> steve wrote:
>>  So as far as the filter table is concerned, in this context, there isn't any
>>  difference between your 'home' network and the 'world' network. The rule will
>>  just be matched against the networks mentioned in the rules. Think about it a
>>  bit. Your rules might even mention a src/dest addresses on networks that none of
>>  your interfaces are even part of.
>>  Mentioning an action in the INPUT chain simply means that the packet would be
>>  examined when received and filtered accordingly.
> So there is no input point and output point.
I don't understand what you mean by 'point'. If you mean a single interface, no, 
iptables does not designate one interface as 'in' and the other as 'out'. If, on 
the other hand, by point, you mean 'point in data passage at which the packet is 
examined', of course there is an input and output point.

That's exactly what the INPUT and OUTPUT chains signify.

> The setup that I will have
> is a box with 2 ethernet ports, one connected to the MTNL router and the
> other to the LAN. How will the firewall recognize the inbound/outbound
> traffic directions as it is inbound for one interface and outbound for
> the other and vice versa.
Stop thinking of inbound and outbound as interface specific. All traffic 
entering the system will be tested against the INPUT chain and all traffic 
leaving the system will be tested against the OUTPUT chain, irrespective of the 
origin, destination, interface ...etc. The rules /within/ the chain would 
specify what to do depending on interface, origin, destination, address, port ..etc.

> In a GUI firewall I remember it asking which
> is the local device and which is on the internet. Will I have to make
> all rules based on each ethernet device as well as ip addresses to let
> iptables know direction?

Judging by your other responses, I have a feeling that you are confusing 
'filtering' (ie: the filter table rules, which decide what type of traffic to 
let in, let out & forward) with IP routing (ie: the NAT table, which lets you 
route and masquerade packets based on certain rules).

Now, in your case, each of the interfaces are on a different network segment, 
aren't they ? So, you need to make rules based on either the network or the 

Any one would of them would do and would the same thing. The simplest from of 
NAT gateway is:

# Assuming eth0 is on the external network (ie: has the IP from MTNL) and eth1
# is on the internal network.

# Set up ip forwarding
$ echo 1 > /proc/sys/net/ipv4/ip_forward

# read this as: in the nat table (-t), add a POSTROUTING rule (-A) that says
# every packet destined to go out from eth0 (-o) should be MASQUERADE'd (-j)
$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Homework: Express in words the following commands
$ /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED 

$ /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Now, if you want to do packet filtering, for example you want to say

As packets come in .............. ( -A INPUT )
on the external nic ............. ( -i eth0 )
on the http port ................ ( --dport 80 )
accept it ........................( -j ACCEPT )

It is pretty interesting once you get to learn to read/write iptables rules and 
you might even end up getting carried away doing stuff that is not really necessary.

Here's one guide that I found fairly clear and concise:

Have fun !
- steve

random non tech spiel: http://lonetwin.blogspot.com/
tech randomness: http://lonehacks.blogspot.com/
what i'm stumbling into: http://lonetwin.stumbleupon.com/

More information about the Linuxers mailing list