IPTables Flow Chart

IPTables Flow Chart

[Jim Cliver]

[-- Attachment #1: Type: text/plain, Size: 349 bytes --]

Hello All,

Attached is a drawing that I thought might be useful to the list, it is 
intended to help visualize the traffic flows on a routing host 
configured with Netfilter.

I have checked it carefully for errors, but can't warrant their 
non-existance.  I welcome comments and suggestions for improving or 
correcting the drawing.

Regards,
jim

[-- Attachment #2: IPTablesFlowChart.pdf --]
[-- Type: application/pdf, Size: 64482 bytes --]

Very impressive, and no virus :-) Re: IPTables Flow Chart

[Xinwen Fu]

Thank you!

Xinwen Fu

On Tue, 9 Mar 2004, Jim Cliver wrote:

> Hello All,
>
> Attached is a drawing that I thought might be useful to the list, it is
> intended to help visualize the traffic flows on a routing host
> configured with Netfilter.
>
> I have checked it carefully for errors, but can't warrant their
> non-existance.  I welcome comments and suggestions for improving or
> correcting the drawing.
>
> Regards,
> jim
>

Re: IPTables Flow Chart

[Antony Stone]

On Wednesday 10 March 2004 2:24 am, Jim Cliver wrote:

> Hello All,
>
> Attached is a drawing that I thought might be useful to the list, it is
> intended to help visualize the traffic flows on a routing host
> configured with Netfilter.
>
> I have checked it carefully for errors, but can't warrant their
> non-existance.  I welcome comments and suggestions for improving or
> correcting the drawing.

My first comment is that the very centre element of the diagram, labelled 
"Routing Process", suggests that IP_Forwarding needs to be = 1 for packets to 
successfully enter the INPUT chain.   This is not the case - it might be 
better if the red and green lines bypassed this box, and only the blue lines 
(which are the "routed" packets) actually go through it.

I then got slightly confused trying to follow the path of a blue packet; after 
entering the logical interface and passing through PREROUTING, it arrives at 
the routing process, but then appears to have a choice of two FORWARD chains 
(one at the top of the diagram, one at the bottom) through which it could 
pass.   I'm not sure this is a helpful representation of netfilter, as there 
is only one FORWARD chain, and all packets, no matter where they are being 
routed to, go through it.

I appreciate that you have used the dotted outline of these boxes to indicate 
"part of", however I think it would be clearer to show simply a single 
netfilter FORWARD chain, followed by a routing decision which leads to the 
two different interfaces?

Regards,

Antony.

-- 
This email was created using 100% recycled electrons.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: IPTables Flow Chart

[Jim Cliver]

Jim Cliver wrote:
> Hello All,
> 
> Attached is a drawing that I thought might be useful to the list, it is 
> intended to help visualize the traffic flows on a routing host 
> configured with Netfilter.
> 
> I have checked it carefully for errors, but can't warrant their 
> non-existance.  I welcome comments and suggestions for improving or 
> correcting the drawing.
> 
> Regards,
> jim

Thank you to all that replied to my first posting of the drawing, I 
really appreciate the feedback!

I believe that all of your suggestions and comments have been 
incorporated into this revision...

http://www.aptalaska.net/~jclive/IPTablesFlowChart.pdf

As always, your comments, suggestions and corrections are welcome.

Regards,
jim

Re: IPTables Flow Chart

[Jim Cliver]

> Thank you to all that replied to my first posting of the drawing, I 
> really appreciate the feedback!
> 
> I believe that all of your suggestions and comments have been 
> incorporated into this revision...
> 
> http://www.aptalaska.net/~jclive/IPTablesFlowChart.pdf
> 
> As always, your comments, suggestions and corrections are welcome.
> 
> Regards,
> jim
> 
> 
> 
Sorry Folks,

Just found an error, will correct and repost.  Directonal arrows from 
Interface B to PREROUTING process are missing...

jim

Re: IPTables Flow Chart

[Antony Stone]

On Thursday 11 March 2004 7:25 pm, Jim Cliver wrote:

> Thank you to all that replied to my first posting of the drawing, I
> really appreciate the feedback!
>
> I believe that all of your suggestions and comments have been
> incorporated into this revision...
>
> http://www.aptalaska.net/~jclive/IPTablesFlowChart.pdf
>
> As always, your comments, suggestions and corrections are welcome.

Very good - much clearer this time, I think.

Just a minor niggle: the two (blue and red) lines in the bottom right hand 
corner of the diagram do not have arrowheads on them - I believe they should 
both point to the Prerouting box at bottom centre, however they seem to have 
lost their direction at some stage :)

Regards,

Antony.

-- 
In Heaven, the police are British, the chefs are Italian, the beer is Belgian, 
the mechanics are German, the lovers are French, the entertainment is 
American, and everything is organised by the Swiss.

In Hell, the police are German, the chefs are British, the beer is American, 
the mechanics are French, the lovers are Swiss, the entertainment is Belgian, 
and everything is organised by the Italians.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: IPTables Flow Chart

[Jim Cliver]

Jim Cliver wrote:
>> Thank you to all that replied to my first posting of the drawing, I 
>> really appreciate the feedback!
>>
>> I believe that all of your suggestions and comments have been 
>> incorporated into this revision...
>>
>> http://www.aptalaska.net/~jclive/IPTablesFlowChart.pdf
>>
>> As always, your comments, suggestions and corrections are welcome.
>>
>> Regards,
>> jim
>>
>>
>>
> Sorry Folks,
> 
> Just found an error, will correct and repost.  Directonal arrows from 
> Interface B to PREROUTING process are missing...
> 
> jim
> 
> 
> 

Ok, we should be good to go now!  The link above is still good dwg'ng 
has been updated.

Thanks also to Antony for the quick catch!

jim

Re: IPTables Flow Chart

[Kiran Kumar]

--- Jim Cliver <jclive@mtaonline.net> wrote:
> Ok, we should be good to go now!  The link above is
> still good dwg'ng 
> has been updated.
> 
> Thanks also to Antony for the quick catch!

  I think, eventually, this should be hosted on
netfilter.org. Jim, Would be nice if you can take it
to them.

=====
Regards,
Kiran Kumar Immidi

__________________________________
Do you Yahoo!?
Yahoo! Search - Find what you’re looking for faster
http://search.yahoo.com

RE: IPTables Flow Chart

[Mark E. Donaldson]

Nice job Jim.  You've packed a considerable amount of complex stuff into a
very small space.  I'm sure many will find this beneficial. 

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Jim Cliver
Sent: Thursday, March 11, 2004 12:13 PM
To: netfilter@lists.netfilter.org
Subject: Re: IPTables Flow Chart

Jim Cliver wrote:
>> Thank you to all that replied to my first posting of the drawing, I 
>> really appreciate the feedback!
>>
>> I believe that all of your suggestions and comments have been 
>> incorporated into this revision...
>>
>> http://www.aptalaska.net/~jclive/IPTablesFlowChart.pdf
>>
>> As always, your comments, suggestions and corrections are welcome.
>>
>> Regards,
>> jim
>>
>>
>>
> Sorry Folks,
> 
> Just found an error, will correct and repost.  Directonal arrows from 
> Interface B to PREROUTING process are missing...
> 
> jim
> 
> 
> 

Ok, we should be good to go now!  The link above is still good dwg'ng has
been updated.

Thanks also to Antony for the quick catch!

jim

RE: IPTables Flow Chart

[Babar Kazmi]

Dear Jim

Great Work .. Very Smart Approach :)
Please also Host it at netfiler .. for future reference ...

Regards

Babar Kazmi

>Nice job Jim.  You've packed a considerable amount of complex stuff into a
>very small space.  I'm sure many will find this beneficial.
>
>-----Original Message----- 
>From: netfilter-admin@lists.netfilter.org
>[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Jim Cliver
>Sent: Thursday, March 11, 2004 12:13 PM
>To: netfilter@lists.netfilter.org
>Subject: Re: IPTables Flow Chart
>
>Jim Cliver wrote:
> >> Thank you to all that replied to my first posting of the drawing, I
> >> really appreciate the feedback!
> >>
> >> I believe that all of your suggestions and comments have been
> >> incorporated into this revision...
> >>
> >> http://www.aptalaska.net/~jclive/IPTablesFlowChart.pdf
> >>
> >> As always, your comments, suggestions and corrections are welcome.
> >>
> >> Regards,
> >> jim
> >>
> >>
> >>
> > Sorry Folks,
> >
> > Just found an error, will correct and repost.  Directonal arrows from
> > Interface B to PREROUTING process are missing...
> >
> > jim
> >
> >
> >
>
>Ok, we should be good to go now!  The link above is still good dwg'ng has
>been updated.
>
>Thanks also to Antony for the quick catch!
>
>jim
>
>
>
>

RE: IPTables Flow Chart

[Kiran Kumar]

Another suggestion, It would be good if in each of the
chains, you could put all the tables involved and in
that order.

This link has it.
http://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html#ss3.2

--- Babar Kazmi <BabarKazmi@Hotmail.Com> wrote:
> Dear Jim
> 
> Great Work .. Very Smart Approach :)
> Please also Host it at netfiler .. for future
> reference ...
> 
> Regards


=====
Regards,
Kiran Kumar Immidi

__________________________________
Do you Yahoo!?
Yahoo! Search - Find what you’re looking for faster
http://search.yahoo.com