Re: [LARTC] Routing fundamentals

From: "Martin A. Brown" <mabrown-lartc@securepipe.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Routing fundamentals
Date: Fri, 28 Mar 2003 19:32:26 +0000	[thread overview]
Message-ID: <marc-lartc-104888003902009@msgid-missing> (raw)
In-Reply-To: <marc-lartc-104882855509686@msgid-missing>

Kjell,

Let me try a slightly different tack.....one of the fundamental
differences between ipchains and iptables is identified and explored in
varying depths here:

  http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-10.html
  http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO.netfilter_hooks.html

[ Apparently, I wrote a similar statement about ipchains vs. iptables in
  July of last year...the beauty of a bad memory is that I can learn
  things anew by re-reading things I once knew! ]

  http://lists.insecure.org/lists/firewall-wizards/2002/Jul/0228.html

In ipchains, each incoming packet hit input, forward and output chains,
which only filtered packets (OK, OK, and masqueraded).

In iptables, every incoming packet traverses the PREROUTING chains in the
conntrack (implicit), mangle and nat tables.  In the PREROUTING chains,
you have access to --in-interface (-i) $RECEIVE_IF.  In the PREROUTING
chain, an output interface makes no sense, because we have no idea about
where the packet is going!

Now that the PREROUTING chain has been passed, we'll route!  After
routing, (and assuming the packet is bound for a non-local destination),
the packet will enter the FORWARD chain.  Now, we know both --in-interface
$RECEIVE_IF and --out-interface (-o) $TRANSMIT_IF, so both options can be
used.

POSTROUTING is just about the last thing before the packet is handed off
to the much misunderstood traffic control system.  And in this
chain, you'll see nalogous behaviour...the --in-interface option is not
available.

Does that answer your question?

-Martin

 : > > For a packet that is not for local host,
 : > > but comes in on one interface and goes
 : > > out on another;
 : (1)
 : > > Will that packet traverse PREROTING, FORWARD and POSTROUTING
 : > > on _both_ underface, or
 : (2)
 : > > will that packet traverse PREROTING, FORWARD and POSTROUTING
 : > > only once, where PREROTING is when a packet "is in" the incoming
 : > > physical interface, and is in FORWARD and POSTROUTING when
 : > > the packet "is in" the outgoing interfave?
 : > >
 : > Maybe this can help :
 : > http://www.docum.org/stef.coene/qos/kptd/
 :
 : No. It would help if you told me what is right.
 : The figure I got from before, and really don't
 : rule out number one.
 :
 :
 : _______________________________________________
 : LARTC mailing list / LARTC@mailman.ds9a.nl
 : http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
 :

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/