How do you correctly interpret the FORWARD chain interface options?

How do you correctly interpret the FORWARD chain interface options?

[paddy joesoap]

Hi All,

How should one interpret the inbound ("-i") and outbound ("-o") of the
FORWARD chain.

Suppose I have a firewall that protects a Web server and bearing in
mind the default deny policy is applied to the FORWARD chain which of
the following is correct?

External Firewall interface = eth0
Internal Firewall interface = eth1

(1)

iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT
iptables -A FORWARD -o eth1 -p tcp -s webServIP -j ACCEPT

where the "-i" is taken to mean inbound no matter what interface the
packet is sourced from and "-o" means outbound.

In that, Netfilter will see "-i" as coming from outside the network
and thereby will not expect to see "-o" rules for the same eth0
interface. Similarly, Netfilter knows that eth1 does not need to
specify -i rules and eth1 will be used for OUTBOUND traffic control.

(2)

iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT # only uses
inbound option
iptables -A FORWARD -i eth1 -p tcp -s webServIP -j ACCEPT # only used
inbound option !!!

where the second rule examines OUTBOUND traffic on the way in "-i" to
eth1. If this is ok, then its ok to be forwarded to the external
interface.


(3)

iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT # same interface
iptables -A FORWARD -o eth0 -p tcp -s webServIP -j ACCEPT # same interface

where the second rule examines OUTBOUND traffic on the same interface
used to look at inbound traffic.

(4)

iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT # inbound filtering
iptables -A FORWARD -i eth1 -p tcp -s webServIP -j ACCEPT # inbound
filtering of original outbound traffic
iptables -A FORWARD -o eth0 -p tcp -d webServIP -j ACCEPT # outbound
filtering of original inbound traffic
iptables -A FORWARD -o eth1 -p tcp -s webServIP -j ACCEPT # outbound filtering

where we must inspect traffic inbound on an interface and outbound on
the same interface.

Presumably, if traffic is inbound from the Internet towards the Web
server, it must be checked with the "-i" option on eth0. If it is
allowed then it will hit the internal interface before being handed to
the Web server. Does eth0 need to explicitly define an incoing and/or
outgoing rule for this inbound traffic so that the default FORWARD
policy does not reject the traffic?

regards,
Paddie.

Re: How do you correctly interpret the FORWARD chain interface options?

[Richard Horton]

On 9 February 2010 13:17, paddy joesoap <paddyjoesoap@gmail.com> wrote:
> Hi All,
>
> How should one interpret the inbound ("-i") and outbound ("-o") of the
> FORWARD chain.
>


-i refers to the interface the packet is received on.
-o refers to the interface the packet is routed out on.



-- 
Richard Horton
Users are like a virus: Each causing a thousand tiny crises until the
host finally dies.
http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats
http://www.pbase.com/arimus - My online photogallery

Re: How do you correctly interpret the FORWARD chain interface options?

[paddy joesoap]

On Tue, Feb 9, 2010 at 1:25 PM, Richard Horton <arimus.uk@googlemail.com> wrote:
> On 9 February 2010 13:17, paddy joesoap <paddyjoesoap@gmail.com> wrote:
>> Hi All,
>>
>> How should one interpret the inbound ("-i") and outbound ("-o") of the
>> FORWARD chain.
>>
>
>
> -i refers to the interface the packet is received on.
> -o refers to the interface the packet is routed out on.
>
>

Does this mean that both versions below are equivalent or at least do
the same job?

(1)

iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT
iptables -A FORWARD -o eth1 -p tcp -s webServIP -j ACCEPT

Because a packet will enter eth0 for internal network and a packet
will leave eth1 (pushed towards eth0).

(2)

iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp -s webServIP -j ACCEPT

Because a packet will enter eth0 to be forwarded internally and a
packet will also enter eth0 when leaving the network.


>
> --
> Richard Horton
> Users are like a virus: Each causing a thousand tiny crises until the
> host finally dies.
> http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats
> http://www.pbase.com/arimus - My online photogallery
>

Re: How do you correctly interpret the FORWARD chain interface options?

[paddy joesoap]

On Tue, Feb 9, 2010 at 3:23 PM, paddy joesoap <paddyjoesoap@gmail.com> wrote:
> On Tue, Feb 9, 2010 at 1:25 PM, Richard Horton <arimus.uk@googlemail.com> wrote:
>> On 9 February 2010 13:17, paddy joesoap <paddyjoesoap@gmail.com> wrote:
>>> Hi All,
>>>
>>> How should one interpret the inbound ("-i") and outbound ("-o") of the
>>> FORWARD chain.
>>>
>>
>>
>> -i refers to the interface the packet is received on.
>> -o refers to the interface the packet is routed out on.
>>
>>
>

Ignore last email (spotted an error in the example rules).

I think I get what Richard is saying now.

The following two rules-set are equivalent, it just depends where you
decide to filter.

Am I correct?

 iptables -A FORWARD -i eth0 -p tcp -s 0/0 -d webServIP --dport 80 -j ACCEPT
 iptables -A FORWARD -o eth0 -p tcp -s webServIP --sport 80 -d 0/0 -j ACCEPT

 iptables -A FORWARD -o eth1 -p tcp -s 0/0 -d webServIP --dport 80 -j ACCEPT
 iptables -A FORWARD -i eth1 -p tcp -s webServIP --sport 80 -d 0/0 -j ACCEPT

In some sense writing the 4 rules leads to duplication, in that,
applying just two will suffice.



> Does this mean that both versions below are equivalent or at least do
> the same job?
>
> (1)
>
> iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT
> iptables -A FORWARD -o eth1 -p tcp -s webServIP -j ACCEPT
>
> Because a packet will enter eth0 for internal network and a packet
> will leave eth1 (pushed towards eth0).
>
> (2)
>
> iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT
> iptables -A FORWARD -o eth0 -p tcp -s webServIP -j ACCEPT
>
> Because a packet will enter eth0 to be forwarded internally and a
> packet will also enter eth0 when leaving the network.
>
>
>>
>> --
>> Richard Horton
>> Users are like a virus: Each causing a thousand tiny crises until the
>> host finally dies.
>> http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats
>> http://www.pbase.com/arimus - My online photogallery
>>
>

Re: How do you correctly interpret the FORWARD chain interface options?

[Покотиленко Костик]

В Вто, 09/02/2010 в 15:23 +0000, paddy joesoap пишет:
> On Tue, Feb 9, 2010 at 1:25 PM, Richard Horton <arimus.uk@googlemail.com> wrote:
> > On 9 February 2010 13:17, paddy joesoap <paddyjoesoap@gmail.com> wrote:
> >> Hi All,
> >>
> >> How should one interpret the inbound ("-i") and outbound ("-o") of the
> >> FORWARD chain.
> >>
> >
> >
> > -i refers to the interface the packet is received on.
> > -o refers to the interface the packet is routed out on.
> >
> >
> 
> Does this mean that both versions below are equivalent or at least do
> the same job?

Not at all.

> (1)
> 
> iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT

This rule will match packets sent from "client" to a webServIP.

> iptables -A FORWARD -o eth1 -p tcp -s webServIP -j ACCEPT

Considering that webServIP located in network connected to eth1, this
rule will not match because packets sent out to eth1 cannot have
webServIP as source address.

> Because a packet will enter eth0 for internal network and a packet
> will leave eth1 (pushed towards eth0).
> 
> (2)
> 
> iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT

This rule will match packets sent from "client" to a webServIP.

> iptables -A FORWARD -o eth0 -p tcp -s webServIP -j ACCEPT

This rule will match packets sent from webServIP to "client".

> Because a packet will enter eth0 to be forwarded internally and a
> packet will also enter eth0 when leaving the network.

When packet enters and leaves one interface (eth0) it isn't actually a
routing.

Considering that webServIP located in network connected to eth1 and
clients talking to the server located in network connected to eth0 you
can use those rules:

iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT
iptables -A FORWARD -o eth1 -p tcp -d webServIP -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp -d webServIP -j ACCEPT

Those 3 rules will do the same job each, you can use either of them.
They will match packets sent from "clients" to "server".

iptables -A FORWARD -i eth1 -p tcp -s webServIP -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp -s webServIP -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp -s webServIP -j ACCEPT

This 3 rules will do the same job each, you can use either of them. They
will match packets sent from "servers" to "clients".

As you probaly already know each connection of client to server sends
packets in both direction regardless of what you are doing, downloading
or uploading.

For example if you want to only allow web traffic (port 80) from
"clients" for "server" you would have to use rules like this:

iptables -A FORWARD -i eth0 -o eth1 -d webServIP -p tcp --dport 80 -j
ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -s webServIP -p tcp --sport 80 -j
ACCEPT

-- 
Покотиленко Костик <casper@meteor.dp.ua>

Re: How do you correctly interpret the FORWARD chain interface options?

[Покотиленко Костик]

В Вто, 09/02/2010 в 15:50 +0000, paddy joesoap пишет:
> On Tue, Feb 9, 2010 at 3:23 PM, paddy joesoap <paddyjoesoap@gmail.com> wrote:
> > On Tue, Feb 9, 2010 at 1:25 PM, Richard Horton <arimus.uk@googlemail.com> wrote:
> >> On 9 February 2010 13:17, paddy joesoap <paddyjoesoap@gmail.com> wrote:
> >>> Hi All,
> >>>
> >>> How should one interpret the inbound ("-i") and outbound ("-o") of the
> >>> FORWARD chain.
> >>>
> >>
> >>
> >> -i refers to the interface the packet is received on.
> >> -o refers to the interface the packet is routed out on.
> >>
> >>
> >
> 
> Ignore last email (spotted an error in the example rules).
> 
> I think I get what Richard is saying now.
> 
> The following two rules-set are equivalent, it just depends where you
> decide to filter.
> 
> Am I correct?
> 
>  iptables -A FORWARD -i eth0 -p tcp -s 0/0 -d webServIP --dport 80 -j ACCEPT
>  iptables -A FORWARD -o eth0 -p tcp -s webServIP --sport 80 -d 0/0 -j ACCEPT
> 
>  iptables -A FORWARD -o eth1 -p tcp -s 0/0 -d webServIP --dport 80 -j ACCEPT
>  iptables -A FORWARD -i eth1 -p tcp -s webServIP --sport 80 -d 0/0 -j ACCEPT
> 
> In some sense writing the 4 rules leads to duplication, in that,
> applying just two will suffice.

This is correct.

> > Does this mean that both versions below are equivalent or at least do
> > the same job?
> >
> > (1)
> >
> > iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT
> > iptables -A FORWARD -o eth1 -p tcp -s webServIP -j ACCEPT
> >
> > Because a packet will enter eth0 for internal network and a packet
> > will leave eth1 (pushed towards eth0).
> >
> > (2)
> >
> > iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT
> > iptables -A FORWARD -o eth0 -p tcp -s webServIP -j ACCEPT
> >
> > Because a packet will enter eth0 to be forwarded internally and a
> > packet will also enter eth0 when leaving the network.
> >
> >
> >>
> >> --
> >> Richard Horton
> >> Users are like a virus: Each causing a thousand tiny crises until the
> >> host finally dies.
> >> http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats
> >> http://www.pbase.com/arimus - My online photogallery
> >>
> >
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
-- 
Покотиленко Костик <casper@meteor.dp.ua>

Re: How do you correctly interpret the FORWARD chain interface options?

[paddy joesoap]

Richard,

Thanks for clearing that up.


2010/2/9 Покотиленко Костик <casper@meteor.dp.ua>:
> В Вто, 09/02/2010 в 15:50 +0000, paddy joesoap пишет:
>> On Tue, Feb 9, 2010 at 3:23 PM, paddy joesoap <paddyjoesoap@gmail.com> wrote:
>> > On Tue, Feb 9, 2010 at 1:25 PM, Richard Horton <arimus.uk@googlemail.com> wrote:
>> >> On 9 February 2010 13:17, paddy joesoap <paddyjoesoap@gmail.com> wrote:
>> >>> Hi All,
>> >>>
>> >>> How should one interpret the inbound ("-i") and outbound ("-o") of the
>> >>> FORWARD chain.
>> >>>
>> >>
>> >>
>> >> -i refers to the interface the packet is received on.
>> >> -o refers to the interface the packet is routed out on.
>> >>
>> >>
>> >
>>
>> Ignore last email (spotted an error in the example rules).
>>
>> I think I get what Richard is saying now.
>>
>> The following two rules-set are equivalent, it just depends where you
>> decide to filter.
>>
>> Am I correct?
>>

Thanks Richard. I'm slow to catch on ;-)

This leads me to a new question about how the default policy is executed.

Lets suppose I only examine the inbound "-i" option, that is, allow
inbound external-traffic and allow inbound internal-traffic.
 # Client Request
iptables -A FORWARD -i eth0 -p tcp -s 0/0 -d webServIP --dport 80 -j ACCEPT
# Server Response
iptables -A FORWARD -i eth1 -p tcp -s webServIP --sport 80 -d 0/0 -j ACCEPT

Presumably since the default FORWARD policy is DROP and because I have
not *explicitly* defined what should happen in the "-o" of both, then
packets will be dropped. That is, FORWARD rules always require a
counterpart for bi-directional communication.

So would it be wise to write a generic outbound "-o" rules that trusts
how the firewall treats outbound traffic in all cases.

iptables -A FORWARD -o eth0 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT

Then I only have to focus on one direction regarding the FORWARD
rule-set. Its just a way of reducing the number of rules I would have
to read or analyse. Perhaps this is a ridiculous thing to do!



>>  iptables -A FORWARD -i eth0 -p tcp -s 0/0 -d webServIP --dport 80 -j ACCEPT
>>  iptables -A FORWARD -o eth0 -p tcp -s webServIP --sport 80 -d 0/0 -j ACCEPT
>>
>>  iptables -A FORWARD -o eth1 -p tcp -s 0/0 -d webServIP --dport 80 -j ACCEPT
>>  iptables -A FORWARD -i eth1 -p tcp -s webServIP --sport 80 -d 0/0 -j ACCEPT
>>
>> In some sense writing the 4 rules leads to duplication, in that,
>> applying just two will suffice.
>
> This is correct.
>
>> > Does this mean that both versions below are equivalent or at least do
>> > the same job?
>> >
>> > (1)
>> >
>> > iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT
>> > iptables -A FORWARD -o eth1 -p tcp -s webServIP -j ACCEPT
>> >
>> > Because a packet will enter eth0 for internal network and a packet
>> > will leave eth1 (pushed towards eth0).
>> >
>> > (2)
>> >
>> > iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT
>> > iptables -A FORWARD -o eth0 -p tcp -s webServIP -j ACCEPT
>> >
>> > Because a packet will enter eth0 to be forwarded internally and a
>> > packet will also enter eth0 when leaving the network.
>> >
>> >
>> >>
>> >> --
>> >> Richard Horton
>> >> Users are like a virus: Each causing a thousand tiny crises until the
>> >> host finally dies.
>> >> http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats
>> >> http://www.pbase.com/arimus - My online photogallery
>> >>
>> >
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> --
> Покотиленко Костик <casper@meteor.dp.ua>
>
>

Re: How do you correctly interpret the FORWARD chain interface options? From: Покотиленко Костик <casper@meteor.dp.ua> X-Virus-Status: Clean Sender: netfilter-owner@vger.kernel.org X-Mailing-List: netfilter@vger.kernel.org

[Mart Frauenlob]

On 09.02.2010 16:58, netfilter-owner@vger.kernel.org wrote:
> В Вто, 09/02/2010 в 15:23 +0000, paddy joesoap пишет:
>> On Tue, Feb 9, 2010 at 1:25 PM, Richard Horton <arimus.uk@googlemail.com> wrote:
>>> On 9 February 2010 13:17, paddy joesoap <paddyjoesoap@gmail.com> wrote:
>>>> Hi All,
>>>>
>>>> How should one interpret the inbound ("-i") and outbound ("-o") of the
>>>> FORWARD chain.
>>>>
>>>
>>>
>>> -i refers to the interface the packet is received on.
>>> -o refers to the interface the packet is routed out on.
>>>
>>>
>>
>> Does this mean that both versions below are equivalent or at least do
>> the same job?
> 
> Not at all.
> 
>> (1)
>>
>> iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT
> 
> This rule will match packets sent from "client" to a webServIP.
> 
>> iptables -A FORWARD -o eth1 -p tcp -s webServIP -j ACCEPT
> 
> Considering that webServIP located in network connected to eth1, this
> rule will not match because packets sent out to eth1 cannot have
> webServIP as source address.
> 
>> Because a packet will enter eth0 for internal network and a packet
>> will leave eth1 (pushed towards eth0).
>>
>> (2)
>>
>> iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT
> 
> This rule will match packets sent from "client" to a webServIP.
> 
>> iptables -A FORWARD -o eth0 -p tcp -s webServIP -j ACCEPT
> 
> This rule will match packets sent from webServIP to "client".
> 
>> Because a packet will enter eth0 to be forwarded internally and a
>> packet will also enter eth0 when leaving the network.
> 
> When packet enters and leaves one interface (eth0) it isn't actually a
> routing.
> 
> Considering that webServIP located in network connected to eth1 and
> clients talking to the server located in network connected to eth0 you
> can use those rules:
> 
> iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT
> iptables -A FORWARD -o eth1 -p tcp -d webServIP -j ACCEPT
> iptables -A FORWARD -i eth0 -o eth1 -p tcp -d webServIP -j ACCEPT
> 
> Those 3 rules will do the same job each, you can use either of them.
> They will match packets sent from "clients" to "server".
> 
> iptables -A FORWARD -i eth1 -p tcp -s webServIP -j ACCEPT
> iptables -A FORWARD -o eth0 -p tcp -s webServIP -j ACCEPT
> iptables -A FORWARD -i eth1 -o eth0 -p tcp -s webServIP -j ACCEPT
> 
> This 3 rules will do the same job each, you can use either of them. They
> will match packets sent from "servers" to "clients".
> 
> As you probaly already know each connection of client to server sends
> packets in both direction regardless of what you are doing, downloading
> or uploading.
> 
> For example if you want to only allow web traffic (port 80) from
> "clients" for "server" you would have to use rules like this:
> 
> iptables -A FORWARD -i eth0 -o eth1 -d webServIP -p tcp --dport 80 -j
> ACCEPT
> iptables -A FORWARD -i eth1 -o eth0 -s webServIP -p tcp --sport 80 -j
> ACCEPT
> 
Hello,

taking the provided scenario (web-server), it's most likely not wise not
to use the features of conntrack. actually if you do not use conntrack
for the webserver, it would be advisable to set those packets to NOTRACK
in the raw table, thus saving system resources.

Now if one decides to use conntrack, place a rule (on top) into the
FORWARD chain allowing established (most likely also RELATED) traffic.

To allow the webserver traffic, all one has to do is, allow state NEW
traffic with destination IP of the web-server.

Now what interface to use within the rule?
Well for a firewall/router with one external and one internal (dmz)
interface, one might specify a match using both interfaces:
-i external_nic -o internal_nic

that will perfectly match the desired packets.
But if the network extends, you may have to rewrite those rules.
i.e. the network now has a second internet upstream provider and another
LAN.

For that case, one would need to duplicate those rules for every interface.

Now if you write your rules like this, they still match the desired
packets, but result in a faster and shorter rule-set:

-P FORWARD DROP
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -o $DMZ_IF -d $WEB_SERVER -m state --state NEW -p tcp --dport
80 -j ACCEPT

No matter from which external or internal interface the request/reply
came, the rules will match in a secure manner.

Best regards

Mart