From: Mart Frauenlob <mart.frauenlob@chello.at>
To: netfilter@vger.kernel.org
Subject: Re: Forward Chain: is Inbound traffic on eth0 not also Outbound depending on your view?
Date: Sun, 08 Nov 2009 13:00:11 +0100 [thread overview]
Message-ID: <4AF6B2CB.5090100@chello.at> (raw)
In-Reply-To: <4AF6B16C.506@chello.at>
Mart Frauenlob wrote:
> paddy joesoap wrote:
>> Dear Experts
>>
>> I am curious to know more about what FORWARD chain inbound and
>> outbound actually mean.
>>
>> Example firewall set-up below:
>>
>> Internet --- Firewall --- PC
>>
>> Firewall has 2 interfaces: eth0 = External and eth1 = Internal
>>
>> >From what I can gather from the Netfilter website, all I need to do is
>> create are inbound and outbound rules on the FORWARD chain.
>>
>> To allow inbound Internet access, I specify:
>>
>> FORWARD -i eth0
>>
>> To allow outbound PC access, I specify:
>>
>> FORWARD -o eth1
>>
>> The question is from whose perspective do you view what is inbound and
>> what is outbound?
>>
>> For example, in the case of the Internet client, traffic flowing
>> towards the firewall is indeed Inbound so naturally "FORWARD -i eth0"
>> is required. However, isn't it also Outbound on eth1, given that it
>> leaves interface eth1 to get to PC?
>>
>> Similarly, clients on the internal network think of their traffic as
>> being outbound only, but when traffic is being "forwarded" from eth1
>> to eth0 heading for the Internet, isn't that traffic classed as
>> Inbound on eth0?
>>
>> Do I need to create rules for this scenario also or is Netfilter
>> handling these implied situations?
>>
>> Beginner questions so apologies in advance.
>> Paddy.
>>
> Please read this carefully and if you still have questions, ask them
> afterwards:
>
> http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TRAVERSINGOFTABLES
>
> http://jengelh.medozas.de/images/nf-packet-flow.png
>
> but in short:
> INPUT chain = packets destined to your host
> OUTPUT chain = source of packets is your host
> FORWARD chain = source is external - destination is external address
> (forwarded, routed)
>
forgot to mention, it's your choice and may depend how exactly you
need/want a match, to specify either one or two interfaces in a FORWARD
chain rule. i.e.
iptables -A FORWARD -i eth1 -o eth0 ....
if you have only one LAN, a -o eth0 may be sufficient, but if you have
more than one LAN, you might prefer to use -i eth1 -o eth0.
regards
Mart
next prev parent reply other threads:[~2009-11-08 12:00 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-08 11:11 Forward Chain: is Inbound traffic on eth0 not also Outbound depending on your view? paddy joesoap
2009-11-08 11:54 ` Mart Frauenlob
2009-11-08 12:00 ` Mart Frauenlob [this message]
2009-11-08 14:21 ` Oskar Berggren
2009-11-08 14:44 ` paddy joesoap
2009-11-09 10:00 ` Mart Frauenlob
2009-11-09 10:17 ` paddy joesoap
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AF6B2CB.5090100@chello.at \
--to=mart.frauenlob@chello.at \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.