FORWARD-chain packets go through INPUT-chain ?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Philip Westphal <philip@trans.net>
To: netfilter@lists.netfilter.org
Subject: FORWARD-chain packets go through INPUT-chain ?
Date: Wed, 26 Apr 2006 10:43:15 +0200	[thread overview]
Message-ID: <444F32A3.7050900@trans.net> (raw)

Hi everybody,

i think my problem is quit simple, but i´m a little bit under pressure, and google didn´t help.
i have a firewall machine, with ip6tables running on it, and behind this firewall there is a webserver with apache2 running.
the network looks like this:
______________________________________________________________________________________________
|                                   LAPTOP                                                   |
|   ipv6-addr: 2001:4100:1:1:204:dff:fe2b:4f1e/64 gw: 2001:4100:1:1:207:8dff:fef0:a900/64    |
----------------------------------------------------------------------------------------------
                                       |     |
                                       |     |
                                       |     |
______________________________________|_____|_______________________________
|      fasteth0/0 ipv6-addr: 2001:4100:1:1:207:8dff:fef0:a900/64            |
|                           CISCO                                           |
|      fasteth1/0 ipv6-addr: 2001:4200:2:1:231:b5ff:fe67:8900/64            |
----------------------------------------------------------------------------
                                       |     |
                                       |     |
                                       |     |
______________________________________|_____|____________________________________________________
|      eth0 ipv6-addr: 2001:4200:2:1:20b:4eff:fe5e:c69d/64 gw: 2001:4200:2:1:231:b5ff:fe67:8900 |
|                                   FIREWALL                                                    |
|      eth1 ipv6-addr: 2001:4200:3:1:203:75ff:fee8:3275/64 + route 2001:4200:3:1::/48 -> eth1   |
-------------------------------------------------------------------------------------------------
                                       |     |
                                       |     |
                                       |     |
______________________________________|_____|___________________________________________________
|    eth0 ipv6-addr: 2001:4200:3:1:204:b4ff:fec7:faa4/64  gw: 2001:4200:3:1:203:75ff:fee8:3275 |
|                                     APACHE                                                   |
------------------------------------------------------------------------------------------------

routing is fine, without ip6tables everything works.
my problem is, that packets from the LAPTOP to the APACHE (and vice-versa) go through all 3 chains INPUT, OUTPUT and FORWARD.
if i don´t make any rules, i have to set all 3 chains to ACCEPT to get packets through.
if i have INPUT and OUTPUT on drop (FORWARD is all the time on ACCEPT), i need to allow especially packets to or from
port 80 or icmpv6 on the INPUT and OUTPUT chain. when i set one of these both chains to DROP, without any special rule,
nothing works, not the http-request or even the icmpv6. i thought all the time that the INPUT and OUTPUT chains are just for packets
which are for or from the local machine. could it be that the firewall threats packets like this, because the APACHE is in the same net
on a connected interface?
when i allow packets to the APACHE in the INPUT chain (lets assume the firewall routes packets through this chain because itself is in the same net)
(default policy is drop) and set the OUTPUT and FORWARD chains to ACCEPT, it still doesn´t work.

as i understand the http://netfilter.org/documentation/HOWTO/de/packet-filtering-HOWTO-6.html normaly packets,
which are not destinated to the machine itself just go through the FORWARD-chain. it´s also under point #3 in this howto:

If forwarding is enabled, and the packet is destined for another network interface (if you have another one),
then the packet goes rightwards on our diagram to the FORWARD chain. If it is ACCEPTed, it will be sent out.

If you have ANY questions about the net, or the routingtables on special machines, please ask.
I don´t get it, any idea, HOWTO-link, explanation, or solution *g* would be very nice. i´m willing to RTFM, but i don´t know where this man is.

Thanks in advance. Philip

next             reply	other threads:[~2006-04-26  8:43 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-04-26  8:43 Philip Westphal [this message]
2006-04-26  9:34 ` FORWARD-chain packets go through INPUT-chain ? Jozsef Kadlecsik

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=444F32A3.7050900@trans.net \
    --to=philip@trans.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.