[ILUG-BOM] Iptables Query
steve at lonetwin.net
Fri Aug 7 12:07:00 IST 2009
On 08/06/2009 03:18 PM, Rony wrote:
> steve wrote:
>> So as far as the filter table is concerned, in this context, there isn't any
>> difference between your 'home' network and the 'world' network. The rule will
>> just be matched against the networks mentioned in the rules. Think about it a
>> bit. Your rules might even mention a src/dest addresses on networks that none of
>> your interfaces are even part of.
>> Mentioning an action in the INPUT chain simply means that the packet would be
>> examined when received and filtered accordingly.
> So there is no input point and output point.
I don't understand what you mean by 'point'. If you mean a single interface, no,
iptables does not designate one interface as 'in' and the other as 'out'. If, on
the other hand, by point, you mean 'point in data passage at which the packet is
examined', of course there is an input and output point.
That's exactly what the INPUT and OUTPUT chains signify.
> The setup that I will have
> is a box with 2 ethernet ports, one connected to the MTNL router and the
> other to the LAN. How will the firewall recognize the inbound/outbound
> traffic directions as it is inbound for one interface and outbound for
> the other and vice versa.
Stop thinking of inbound and outbound as interface specific. All traffic
entering the system will be tested against the INPUT chain and all traffic
leaving the system will be tested against the OUTPUT chain, irrespective of the
origin, destination, interface ...etc. The rules /within/ the chain would
specify what to do depending on interface, origin, destination, address, port ..etc.
> In a GUI firewall I remember it asking which
> is the local device and which is on the internet. Will I have to make
> all rules based on each ethernet device as well as ip addresses to let
> iptables know direction?
Judging by your other responses, I have a feeling that you are confusing
'filtering' (ie: the filter table rules, which decide what type of traffic to
let in, let out & forward) with IP routing (ie: the NAT table, which lets you
route and masquerade packets based on certain rules).
Now, in your case, each of the interfaces are on a different network segment,
aren't they ? So, you need to make rules based on either the network or the
Any one would of them would do and would the same thing. The simplest from of
NAT gateway is:
# Assuming eth0 is on the external network (ie: has the IP from MTNL) and eth1
# is on the internal network.
# Set up ip forwarding
$ echo 1 > /proc/sys/net/ipv4/ip_forward
# read this as: in the nat table (-t), add a POSTROUTING rule (-A) that says
# every packet destined to go out from eth0 (-o) should be MASQUERADE'd (-j)
$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Homework: Express in words the following commands
$ /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED
$ /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
Now, if you want to do packet filtering, for example you want to say
As packets come in .............. ( -A INPUT )
on the external nic ............. ( -i eth0 )
on the http port ................ ( --dport 80 )
accept it ........................( -j ACCEPT )
It is pretty interesting once you get to learn to read/write iptables rules and
you might even end up getting carried away doing stuff that is not really necessary.
Here's one guide that I found fairly clear and concise:
Have fun !
random non tech spiel: http://lonetwin.blogspot.com/
tech randomness: http://lonehacks.blogspot.com/
what i'm stumbling into: http://lonetwin.stumbleupon.com/
More information about the Linuxers