From: Lopsch <lopsch@lopsch.com>
To: netfilter@lists.netfilter.org
Subject: Re: questions about chain traversal, new ascii diagram
Date: Thu, 06 Jan 2005 18:49:09 +0100 [thread overview]
Message-ID: <41DD7A15.6050405@lopsch.com> (raw)
In-Reply-To: <BAY101-F121798A658C0B56334F8D7DF930@phx.gbl>
[-- Attachment #1: Type: text/plain, Size: 2427 bytes --]
Curby . schrieb:
> Hi, I'm in the process of building a three-interface firewall and I have
> some questions about how the different chains see NAT packets and
> locally-generated packets.
>
> Firstly, if I just do filtering in the INPUT/OUTPUT chains, NAT-ed
> packets will not traverse those chains, so I figure I should probably
> put similar filtering rules in the FORWARD chain? (For example, I'd like
> to be able to block all my internal users from accessing certain sites,
> or block incoming traffic sent by bad hosts from being port-forwarded to
> internal servers).
>
> If I was trying to block incoming traffic from bad hosts, why not simply
> put the filters in the PREROUTING chain instead of both INPUT and
> FORWARD? Is it because the nat table is intended for just nat and doing
> filtering there would be ugly, or would it actually fail to work?
>
> I read in http://davidcoulson.net/writing/lxf/14/iptables.pdf (on the
> netfilter.org documentation page) that nat's OUTPUT chain performs DNAT
> on outgoing packets originating from the server, and POSTROUTING
> performs SNAT on outgoing packets passing through the firewall from
> other hosts. If I have two Internet-facing IPs and would like to SNAT
> locally-generated traffic to one or the other, it would appear that
> iptables wouldn't let me do that very easily, right? What is the
> purpose of nat's OUTPUT chain (in other words, when would I want to DNAT
> locally-generated traffic)?
>
> In what order does locally-generated traffic traverse the OUTPUT chains
> of filter and nat tables?
>
> Lastly, aside from those issues, is the diagram below a reasonable
> representation? The only diagrams I found on chain traversal dealt with
> the nat and filter tables separately, but I'm hoping that it's possible
> to show them together. (I hope hotmail doesn't completely destroy this
> ascii hehe).
>
> # -->n.PREROUT-->routing decision-->f.FORWARD-->n.POSTROUT--,-->
> # | ,-------------^
> # v |
> # f.INPUT f.OUTPUT, n.OUTPUT
> # | ^
> # `--->local process----'
>
> Thanks!
>
> --curby
>
>
http://joerg.fruehbrodt.bei.t-online.de/pics/abb3_netfilter_ablaufdiagramm.jpg
What about the mangle decisions, do you also want to include them :D?
--
PGP-ID 0xF8EAF138
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
next prev parent reply other threads:[~2005-01-06 17:49 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-06 17:23 questions about chain traversal, new ascii diagram Curby .
2005-01-06 17:49 ` Lopsch [this message]
2005-01-06 19:20 ` Curby .
2005-01-07 2:12 ` John A. Sullivan III
2005-01-07 22:08 ` Andy Furniss
2005-01-06 20:50 ` Ipfilter for DHCP client sisdis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41DD7A15.6050405@lopsch.com \
--to=lopsch@lopsch.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.