From: Joel Newkirk <netfilter@newkirk.us>
To: james li <shijialeeee@yahoo.ca>, netfilter@lists.netfilter.org
Subject: Re: iptables questions
Date: Tue, 26 Nov 2002 19:08:46 -0500 [thread overview]
Message-ID: <200211261908.46820.netfilter@newkirk.us> (raw)
In-Reply-To: <20021126233326.75120.qmail@web14507.mail.yahoo.com>
On Tuesday 26 November 2002 06:33 pm, james li wrote:
> hi,
>
> i am learning iptables through the HOWTO. there is one
> command i am not sure. can someone explain it to me
> please?
>
> $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
>
> from author 'this rule will allow all traffic from
> our $LAN_IFACE to any other interface to flow
> freely,in other word,in other words allow all traffic
> from our LAN to the Internet'.
>
> is there a default '-o eth+' in the above command that
> is omitted ? should it better be
> $IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j
> ACCEPT
>
> INET_IFACE as (internet_interface)
Not necessarily. If you only have two interfaces, and use the first rule, it
will match anything coming in the $LAN_IFACE interface, regardless of
destination. (well, if the destination is local to the firewall machine it
won't match, because it will be in the INPUT filter chain instead of
FORWARD... :^) If you have more than two interfaces, or situations where
forwarding back out the same LAN interface takes place (like connecting the
LAN to a local server, perhaps) then you might want to have different rules
depending on destination, otherwise leaving it out simply means you don't
care what output interface is used. You usually would NOT want to match
solely on the -o parameter, since that could allow incoming traffic from the
internet to forward back out in this scenario, but such a rule is also valid.
If you have a DMZ hanging off a third interface from the firewall, then
filtering rules pertaining to the DMZ would probably be most easily defined
based on -o $DMZ_IFACE. (or whatever name you used)
Depending on where the rule is placed (INPUT, FORWARD, OUTPUT, etc) you may
find it useful to apply or omit particular parts of a rule. For example, in
PREROUTING chains (NAT or MANGLE) -o is undefined, so you DON'T want to try
to match it there. In the FORWARD filter chain the output interface is
defined, but often isn't important, more important (IE more useful to
filtering) would be the input iface and source/dest IP's in most cases.
j
next prev parent reply other threads:[~2002-11-27 0:08 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-11-26 23:33 iptables questions james li
2002-11-27 0:08 ` Joel Newkirk [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-11-15 10:51 Antti Korpela
2003-11-17 14:07 ` Jeffrey Laramie
2003-11-17 14:18 ` Antony Stone
2003-11-19 15:32 ` Cedric Blancher
2003-11-18 1:12 ` William Stearns
[not found] <023d01c1ae2b$f0f417c0$9d264484@cs.technion.ac.il>
[not found] ` <20020219212055.M22074@sunbeam.de.gnumonks.org>
[not found] ` <03ce01c1eae8$d580e0f0$9d264484@cmp41>
[not found] ` <20020423190905.X27024@sunbeam.de.gnumonks.org>
[not found] ` <011001c221c1$32508e20$9b264484@cmp41>
2002-07-02 21:05 ` Harald Welte
2000-08-13 6:00 jingai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200211261908.46820.netfilter@newkirk.us \
--to=netfilter@newkirk.us \
--cc=netfilter@lists.netfilter.org \
--cc=shijialeeee@yahoo.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.