Let me understand *RETURN*

Let me understand *RETURN*

[Mohammad Khan]

I have couple of chains and rules for filter table

-N TCP_IN
-N TCP_OUT
-N UDP_IN
-N UDP_OUT
-N ICMP_IN
-N ICMP_OUT

-N P1_IN
-N P1_OUT
-N P2_IN
-N P2_OUT

-A FORWARD -d IP_OF_P1 -j P1_IN
-A FORWARD -s IP_OF_P1 -j P1_OUT

-A FORWARD -d IP_OF_P1 -j P1_IN
-A FORWARD -s IP_OF_P1 -j P1_OUT
-A FORWARD -j LOG --log-prefix "NOT_FORWARDED "
-A FORWARD -j DROP

-A P1_IN -t TCP -j TCP_IN
-A P1_IN -t UDP -j UDP_IN
-A P1_IN -t ICMP -j ICMP_IN
-A P1_IN -j RETURN

-A TCP_IN -t TCP --dport 80 -J ACCPET
-A TCP_IN -j RETURN

For any tcp packet that going to P1 and don't have destination port 80: 

returned to P1_IN chain from TCP_IN chain, then after
returned to FORWARD chain from P1_IN, and finally
dropping the packet after kept log.

Am I right?

MOhammad

Re: Let me understand *RETURN*

[Jason Opperisano]

On Fri, Feb 18, 2005 at 11:15:58AM -0500, Mohammad Khan wrote:
> I have couple of chains and rules for filter table
> 
> -N TCP_IN
> -N TCP_OUT
> -N UDP_IN
> -N UDP_OUT
> -N ICMP_IN
> -N ICMP_OUT
> 
> -N P1_IN
> -N P1_OUT
> -N P2_IN
> -N P2_OUT
> 
> -A FORWARD -d IP_OF_P1 -j P1_IN
> -A FORWARD -s IP_OF_P1 -j P1_OUT
> 
> -A FORWARD -d IP_OF_P1 -j P1_IN
> -A FORWARD -s IP_OF_P1 -j P1_OUT

why do you have the above 2 rules twice?

> -A FORWARD -j LOG --log-prefix "NOT_FORWARDED "
> -A FORWARD -j DROP
> 
> -A P1_IN -t TCP -j TCP_IN
> -A P1_IN -t UDP -j UDP_IN
> -A P1_IN -t ICMP -j ICMP_IN
> -A P1_IN -j RETURN
> 
> -A TCP_IN -t TCP --dport 80 -J ACCPET
> -A TCP_IN -j RETURN

the option to specify the protocol is "-p" not "-t" (that specifies the
table to operate on)

> For any tcp packet that going to P1 and don't have destination port 80: 
> 
> returned to P1_IN chain from TCP_IN chain, then after
> returned to FORWARD chain from P1_IN, and finally
> dropping the packet after kept log.
> 
> Am I right?

yes, assuming the IP P1 is not local to the gateway in question.

-j

--
"When a woman says nothing's wrong, everything's wrong. When a woman
 says everything's wrong, *everything's* wrong. And when a woman says
 something's not funny, you'd better not laugh your ass off!"
        --The Simpsons

Re: Let me understand *RETURN*

[Mohammad Khan]

On Fri, 2005-02-18 at 12:34, Jason Opperisano wrote:
> On Fri, Feb 18, 2005 at 11:15:58AM -0500, Mohammad Khan wrote:
> > I have couple of chains and rules for filter table
> > 
> > -N TCP_IN
> > -N TCP_OUT
> > -N UDP_IN
> > -N UDP_OUT
> > -N ICMP_IN
> > -N ICMP_OUT
> > 
> > -N P1_IN
> > -N P1_OUT
> > -N P2_IN
> > -N P2_OUT
> > 
> > -A FORWARD -d IP_OF_P1 -j P1_IN
> > -A FORWARD -s IP_OF_P1 -j P1_OUT
> > 
> > -A FORWARD -d IP_OF_P1 -j P1_IN
> > -A FORWARD -s IP_OF_P1 -j P1_OUT
> 
> why do you have the above 2 rules twice?
Sorry, copied and pasted .. 
should be 
-A FORWARD -d IP_OF_P1 -j P1_IN
-A FORWARD -s IP_OF_P1 -j P1_OUT
-A FORWARD -d IP_OF_P2 -j P2_IN
-A FORWARD -s IP_OF_P2 -j P2_OUT

> 
> 
> > -A FORWARD -j LOG --log-prefix "NOT_FORWARDED "
> > -A FORWARD -j DROP
> > 
> > -A P1_IN -t TCP -j TCP_IN
> > -A P1_IN -t UDP -j UDP_IN
> > -A P1_IN -t ICMP -j ICMP_IN
> > -A P1_IN -j RETURN
> > 
> > -A TCP_IN -t TCP --dport 80 -J ACCPET
> > -A TCP_IN -j RETURN
> 

Sorry again.. for the typo

should be:
-A P1_IN -p TCP -j TCP_IN
-A P1_IN -p UPD -j UDP_IN
-A P1_IN -p ICMP -j ICMP_IN
-A P1_IN -j RETURN
 
-A TCP_IN -p TCP --dport 80 -j ACCEPT
-A TCP_IN -j RETURN

> the option to specify the protocol is "-p" not "-t" (that specifies the
> table to operate on)
> 
> > For any tcp packet that going to P1 and don't have destination port 80: 
> > 
> > returned to P1_IN chain from TCP_IN chain, then after
> > returned to FORWARD chain from P1_IN, and finally
> > dropping the packet after kept log.
> > 
> > Am I right?
> 
> yes, assuming the IP P1 is not local to the gateway in question.

IP_OF_P1 is local IP.
I didn't typed rules for P2_IN and P2_OUT


I am just trying to understand *RETURN* .

Thanks
Mohammad

Re: Let me understand *RETURN*

[Daniel Lopes]

Mohammad Khan schrieb:
> On Fri, 2005-02-18 at 12:34, Jason Opperisano wrote:
> 
>>On Fri, Feb 18, 2005 at 11:15:58AM -0500, Mohammad Khan wrote:
>>
>>>I have couple of chains and rules for filter table
>>>
>>>-N TCP_IN
>>>-N TCP_OUT
>>>-N UDP_IN
>>>-N UDP_OUT
>>>-N ICMP_IN
>>>-N ICMP_OUT
>>>
>>>-N P1_IN
>>>-N P1_OUT
>>>-N P2_IN
>>>-N P2_OUT
>>>
>>>-A FORWARD -d IP_OF_P1 -j P1_IN
>>>-A FORWARD -s IP_OF_P1 -j P1_OUT
>>>
>>>-A FORWARD -d IP_OF_P1 -j P1_IN
>>>-A FORWARD -s IP_OF_P1 -j P1_OUT
>>
>>why do you have the above 2 rules twice?
> 
> Sorry, copied and pasted .. 
> should be 
> -A FORWARD -d IP_OF_P1 -j P1_IN
> -A FORWARD -s IP_OF_P1 -j P1_OUT
> -A FORWARD -d IP_OF_P2 -j P2_IN
> -A FORWARD -s IP_OF_P2 -j P2_OUT
> 
> 
>>
>>>-A FORWARD -j LOG --log-prefix "NOT_FORWARDED "
>>>-A FORWARD -j DROP
>>>
>>>-A P1_IN -t TCP -j TCP_IN
>>>-A P1_IN -t UDP -j UDP_IN
>>>-A P1_IN -t ICMP -j ICMP_IN
>>>-A P1_IN -j RETURN
>>>
>>>-A TCP_IN -t TCP --dport 80 -J ACCPET
>>>-A TCP_IN -j RETURN
>>
> 
> Sorry again.. for the typo
> 
> should be:
> -A P1_IN -p TCP -j TCP_IN
> -A P1_IN -p UPD -j UDP_IN
> -A P1_IN -p ICMP -j ICMP_IN
> -A P1_IN -j RETURN
>  
> -A TCP_IN -p TCP --dport 80 -j ACCEPT
> -A TCP_IN -j RETURN
> 
> 
>>the option to specify the protocol is "-p" not "-t" (that specifies the
>>table to operate on)
>>
>>
>>>For any tcp packet that going to P1 and don't have destination port 80: 
>>>
>>>returned to P1_IN chain from TCP_IN chain, then after
>>>returned to FORWARD chain from P1_IN, and finally
>>>dropping the packet after kept log.
>>>
>>>Am I right?
>>
>>yes, assuming the IP P1 is not local to the gateway in question.
> 
> 
> IP_OF_P1 is local IP.
> I didn't typed rules for P2_IN and P2_OUT
> 
> 
> I am just trying to understand *RETURN* .
> 
> Thanks
> Mohammad
> 
> 

RETURN only says that you stop testing the packet against the rules in 
the actual chain, return back to the outer chain and continue testing 
the packet against that rules in the outer chain. E.g.

iptables -P INPUT DROP

iptables -A INPUT -j rule1
iptables -A INPUT -j rule2
iptables -A INPUT -j rule3

iptables -N rule1
iptables -A rule1 -j RETURN
iptables -N rule2
iptables -A rule2 -j RETURN
iptables -N rule3
iptables -A rule3 -j RETURN

So now every packet destined for the local machine always wents through 
the INPUT chain. The default policy is set to drop.
Now let´s say there´s a packet for the local machine. It went´s to the 
INPUT chain. The INPUT chain sends it to rule1. In rule one the RETURN 
traget sends it back to the INPUT chain. The INPUT chain sends it to 
rule2. Rule2 sends it back to the INPUT chain and so on till it is 
droppped by the default policy.

iptables -P INPUT DROP

iptables -A INPUT -j rule1

iptables -N rule1
iptables -A rule1 -j rule2
iptables -N rule2
iptables -A rule2 -j RETURN
iptables -N rule1
iptables -A rule1 -j RETURN

Again the INPUT chain sends it to rule1. Rule1 sends it to rule2. Rule2 
sends it via RETURN back to rule1 and rule1 back to INPUT chain where it 
is dropped via default policy.

I hope this will help you. You can see RETURN always sends a packet back 
to the outer chain from where it was send to the actual chain.

Re: Let me understand *RETURN*

[R. DuFresne]

	[SNIP]

> 
> iptables -N rule1
> iptables -A rule1 -j RETURN
> iptables -N rule2
> iptables -A rule2 -j RETURN
> iptables -N rule3
> iptables -A rule3 -j RETURN
> 
> So now every packet destined for the local machine always wents through 
> the INPUT chain. The default policy is set to drop.
> Now let´s say there´s a packet for the local machine. It went´s to the 
> INPUT chain. The INPUT chain sends it to rule1. In rule one the RETURN 
> traget sends it back to the INPUT chain. The INPUT chain sends it to 
> rule2. Rule2 sends it back to the INPUT chain and so on till it is 
> droppped by the default policy.
> 
> iptables -P INPUT DROP
> 
> iptables -A INPUT -j rule1
> 
> iptables -N rule1
> iptables -A rule1 -j rule2
> iptables -N rule2
> iptables -A rule2 -j RETURN
> iptables -N rule1
> iptables -A rule1 -j RETURN
> 
> Again the INPUT chain sends it to rule1. Rule1 sends it to rule2. Rule2 
> sends it via RETURN back to rule1 and rule1 back to INPUT chain where it 
> is dropped via default policy.
> 
> I hope this will help you. You can see RETURN always sends a packet back 
> to the outer chain from where it was send to the actual chain.
> 
> 


It was my understanding that a user chain could not jump to another user
chain, that this was only allowed in the default chains <input, output and
forward>?

Thanks,


Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                        -Tom Robins <Still Life With Woodpecker>

Re: Let me understand *RETURN*

[Jason Opperisano]

On Fri, 2005-02-18 at 18:59, R. DuFresne wrote:
> It was my understanding that a user chain could not jump to another user
> chain, that this was only allowed in the default chains <input, output and
> forward>?

nope.  jump all you want--just don't always expect to be able to figure
out WTF your packet went.

-j

--
"Ahh the Luftwaffe--the Washington Generals of the History Channel."
	--The Simpsons