* FORWARD-chain packets go through INPUT-chain ?
@ 2006-04-26 8:43 Philip Westphal
2006-04-26 9:34 ` Jozsef Kadlecsik
0 siblings, 1 reply; 2+ messages in thread
From: Philip Westphal @ 2006-04-26 8:43 UTC (permalink / raw)
To: netfilter
Hi everybody,
i think my problem is quit simple, but i´m a little bit under pressure, and google didn´t help.
i have a firewall machine, with ip6tables running on it, and behind this firewall there is a webserver with apache2 running.
the network looks like this:
______________________________________________________________________________________________
| LAPTOP |
| ipv6-addr: 2001:4100:1:1:204:dff:fe2b:4f1e/64 gw: 2001:4100:1:1:207:8dff:fef0:a900/64 |
----------------------------------------------------------------------------------------------
| |
| |
| |
______________________________________|_____|_______________________________
| fasteth0/0 ipv6-addr: 2001:4100:1:1:207:8dff:fef0:a900/64 |
| CISCO |
| fasteth1/0 ipv6-addr: 2001:4200:2:1:231:b5ff:fe67:8900/64 |
----------------------------------------------------------------------------
| |
| |
| |
______________________________________|_____|____________________________________________________
| eth0 ipv6-addr: 2001:4200:2:1:20b:4eff:fe5e:c69d/64 gw: 2001:4200:2:1:231:b5ff:fe67:8900 |
| FIREWALL |
| eth1 ipv6-addr: 2001:4200:3:1:203:75ff:fee8:3275/64 + route 2001:4200:3:1::/48 -> eth1 |
-------------------------------------------------------------------------------------------------
| |
| |
| |
______________________________________|_____|___________________________________________________
| eth0 ipv6-addr: 2001:4200:3:1:204:b4ff:fec7:faa4/64 gw: 2001:4200:3:1:203:75ff:fee8:3275 |
| APACHE |
------------------------------------------------------------------------------------------------
routing is fine, without ip6tables everything works.
my problem is, that packets from the LAPTOP to the APACHE (and vice-versa) go through all 3 chains INPUT, OUTPUT and FORWARD.
if i don´t make any rules, i have to set all 3 chains to ACCEPT to get packets through.
if i have INPUT and OUTPUT on drop (FORWARD is all the time on ACCEPT), i need to allow especially packets to or from
port 80 or icmpv6 on the INPUT and OUTPUT chain. when i set one of these both chains to DROP, without any special rule,
nothing works, not the http-request or even the icmpv6. i thought all the time that the INPUT and OUTPUT chains are just for packets
which are for or from the local machine. could it be that the firewall threats packets like this, because the APACHE is in the same net
on a connected interface?
when i allow packets to the APACHE in the INPUT chain (lets assume the firewall routes packets through this chain because itself is in the same net)
(default policy is drop) and set the OUTPUT and FORWARD chains to ACCEPT, it still doesn´t work.
as i understand the http://netfilter.org/documentation/HOWTO/de/packet-filtering-HOWTO-6.html normaly packets,
which are not destinated to the machine itself just go through the FORWARD-chain. it´s also under point #3 in this howto:
If forwarding is enabled, and the packet is destined for another network interface (if you have another one),
then the packet goes rightwards on our diagram to the FORWARD chain. If it is ACCEPTed, it will be sent out.
If you have ANY questions about the net, or the routingtables on special machines, please ask.
I don´t get it, any idea, HOWTO-link, explanation, or solution *g* would be very nice. i´m willing to RTFM, but i don´t know where this man is.
Thanks in advance. Philip
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: FORWARD-chain packets go through INPUT-chain ?
2006-04-26 8:43 FORWARD-chain packets go through INPUT-chain ? Philip Westphal
@ 2006-04-26 9:34 ` Jozsef Kadlecsik
0 siblings, 0 replies; 2+ messages in thread
From: Jozsef Kadlecsik @ 2006-04-26 9:34 UTC (permalink / raw)
To: Philip Westphal; +Cc: netfilter
On Wed, 26 Apr 2006, Philip Westphal wrote:
> i think my problem is quit simple, but i´m a little bit under pressure,
> and google didn´t help. i have a firewall machine, with ip6tables
> running on it, and behind this firewall there is a webserver with
> apache2 running. the network looks like this:
[...]
> my problem is, that packets from the LAPTOP to the APACHE (and
> vice-versa) go through all 3 chains INPUT, OUTPUT and FORWARD. if i
> don´t make any rules, i have to set all 3 chains to ACCEPT to get
> packets through. if i have INPUT and OUTPUT on drop (FORWARD is all the
> time on ACCEPT), i need to allow especially packets to or from port 80
> or icmpv6 on the INPUT and OUTPUT chain.
IPv6 is not just IPv4 with bumped up address space: ARP is replaced by ND
(Neighbour Discovery), which is performed over ICMPv6. So if you block
ICMPv6 completely in INPUT/OUTPUT, you actually disable IPv6.
Have a look at the IETF draft 'Best Current Practice for Filtering ICMPv6
Messages in Firewalls':
http://www.ietf.org/internet-drafts/draft-ietf-v6ops-icmpv6-filtering-bcp-01.txt
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-04-26 9:34 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-04-26 8:43 FORWARD-chain packets go through INPUT-chain ? Philip Westphal
2006-04-26 9:34 ` Jozsef Kadlecsik
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.