[LARTC] Routing fundamentals

[LARTC] Routing fundamentals

[Kjell Chris Flor]

Hi,

Tell me if I understand this right.

For a packet that is not for local host,
but comes in on one interface and goes 
out on another;

Will that packet traverse PREROTING, FORWARD and POSTROUTING
on _both_ underface, or

will that packet traverse PREROTING, FORWARD and POSTROUTING
only once, where PREROTING is when a packet "is in" the incoming
physical interface, and is in FORWARD and POSTROUTING when
the packet "is in" the outgoing interfave?


regards,

Kjell


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Routing fundamentals

[Stef Coene]

On Friday 28 March 2003 06:14, Kjell Chris Flor wrote:
> Hi,
>
> Tell me if I understand this right.
>
> For a packet that is not for local host,
> but comes in on one interface and goes
> out on another;
>
> Will that packet traverse PREROTING, FORWARD and POSTROUTING
> on _both_ underface, or
>
> will that packet traverse PREROTING, FORWARD and POSTROUTING
> only once, where PREROTING is when a packet "is in" the incoming
> physical interface, and is in FORWARD and POSTROUTING when
> the packet "is in" the outgoing interfave?
Maybe this can help :
http://www.docum.org/stef.coene/qos/kptd/

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Routing fundamentals

[Kjell Chris Flor]

> > For a packet that is not for local host,
> > but comes in on one interface and goes
> > out on another;
(1)
> > Will that packet traverse PREROTING, FORWARD and POSTROUTING
> > on _both_ underface, or
(2)
> > will that packet traverse PREROTING, FORWARD and POSTROUTING
> > only once, where PREROTING is when a packet "is in" the incoming
> > physical interface, and is in FORWARD and POSTROUTING when
> > the packet "is in" the outgoing interfave?
> >
> Maybe this can help :
> http://www.docum.org/stef.coene/qos/kptd/

No. It would help if you told me what is right.
The figure I got from before, and really don't
rule out number one.


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Routing fundamentals

[Erik S. Johansen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 28 March 2003 07:14, Kjell Chris Flor wrote:
> Hi,
>
> Tell me if I understand this right.
>
> For a packet that is not for local host,
> but comes in on one interface and goes
> out on another;
>
> Will that packet traverse PREROTING, FORWARD and POSTROUTING
> on _both_ underface, or
>
> will that packet traverse PREROTING, FORWARD and POSTROUTING
> only once, where PREROTING is when a packet "is in" the incoming
> physical interface, and is in FORWARD and POSTROUTING when
> the packet "is in" the outgoing interfave?

I believe this ASCII to be correct, but I'm not certain so a verification from 
someone would be appreciated. 


   --------                    -------------------
  | Device |                  | Local application |
   ---|----                    -----|-------------
      |                             |
      V                             |
      |                             |
   ___|_______________           ___|_______________
  /                   \         /                   \
 | Connection Tracking |       | Connection Tracking |
 |  |                  |       |  |                  |
 | mangle/PREROUTING   |       | mangle/OUTPUT       |
 |  |                  |       |  |                  |
 | nat/PREROUTING      |       | nat/OUTPUT          |
 |                     |       |  |                  |
 |                     |       | filter/OUTPUT       |
  \___ _______________/         \___ _______________/
      |                                   |
      |                                   |
      |                                   V 
      |                                   |
      |                               ----|----
      V                              | Routing |
      |                               ----|----
      |                                   |
      |                                   V
      |                 ______________    |
   ---|-----           /              \   |
  | Routing |--->-----| filter/FORWARD |---
   ---|-----           \______________/   |        
      |                                   |        
      V                                   V         
      |                                   |           
   ___|_________________          ________|__________
  /                     \        /                   \ 
 | filter/INPUT          |      | nat/POSTROUTING     |
 |  |                    |      |  |                  |
 | Connection Tracking   |      | Connection Tracking |
  \___ _________________/        \________ __________/
      |                                   |
      |                                   |
      V                                   V
      |                                   |
      |                                   |
  ----|---------------                 --------
 |  Local application |               | Device |
  --------------------                 --------


- --Erik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+hHxZds9m9uhAobARArrzAJ93Ia6VFxiS8Cx92+M/nfvBxVucpwCeJByZ
kvCpV+lKDHmSCBIi5rutlig=QSJn
-----END PGP SIGNATURE-----

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Routing fundamentals

[Martin A. Brown]

Kjell,

Let me try a slightly different tack.....one of the fundamental
differences between ipchains and iptables is identified and explored in
varying depths here:

  http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-10.html
  http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO.netfilter_hooks.html

[ Apparently, I wrote a similar statement about ipchains vs. iptables in
  July of last year...the beauty of a bad memory is that I can learn
  things anew by re-reading things I once knew! ]

  http://lists.insecure.org/lists/firewall-wizards/2002/Jul/0228.html

In ipchains, each incoming packet hit input, forward and output chains,
which only filtered packets (OK, OK, and masqueraded).

In iptables, every incoming packet traverses the PREROUTING chains in the
conntrack (implicit), mangle and nat tables.  In the PREROUTING chains,
you have access to --in-interface (-i) $RECEIVE_IF.  In the PREROUTING
chain, an output interface makes no sense, because we have no idea about
where the packet is going!

Now that the PREROUTING chain has been passed, we'll route!  After
routing, (and assuming the packet is bound for a non-local destination),
the packet will enter the FORWARD chain.  Now, we know both --in-interface
$RECEIVE_IF and --out-interface (-o) $TRANSMIT_IF, so both options can be
used.

POSTROUTING is just about the last thing before the packet is handed off
to the much misunderstood traffic control system.  And in this
chain, you'll see nalogous behaviour...the --in-interface option is not
available.

Does that answer your question?

-Martin

 : > > For a packet that is not for local host,
 : > > but comes in on one interface and goes
 : > > out on another;
 : (1)
 : > > Will that packet traverse PREROTING, FORWARD and POSTROUTING
 : > > on _both_ underface, or
 : (2)
 : > > will that packet traverse PREROTING, FORWARD and POSTROUTING
 : > > only once, where PREROTING is when a packet "is in" the incoming
 : > > physical interface, and is in FORWARD and POSTROUTING when
 : > > the packet "is in" the outgoing interfave?
 : > >
 : > Maybe this can help :
 : > http://www.docum.org/stef.coene/qos/kptd/
 :
 : No. It would help if you told me what is right.
 : The figure I got from before, and really don't
 : rule out number one.
 :
 :
 : _______________________________________________
 : LARTC mailing list / LARTC@mailman.ds9a.nl
 : http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
 :

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Routing fundamentals

[Martin A. Brown]

Aigh!

Upon re-reading, I must add that the linuxvirtualserver.org link is not
appropriate in this answer.  Sorry for my confusion--please ignore the
Joseph.Mack LVS-HOWTO link for the purposes of this answer.

Apologies,

-Martin

 : Kjell,
 :
 : Let me try a slightly different tack.....one of the fundamental
 : differences between ipchains and iptables is identified and explored in
 : varying depths here:
 :
 :   http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-10.html
 :   http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO.netfilter_hooks.html
 :
 : [ Apparently, I wrote a similar statement about ipchains vs. iptables in
 :   July of last year...the beauty of a bad memory is that I can learn
 :   things anew by re-reading things I once knew! ]
 :
 :   http://lists.insecure.org/lists/firewall-wizards/2002/Jul/0228.html
 :
 : In ipchains, each incoming packet hit input, forward and output chains,
 : which only filtered packets (OK, OK, and masqueraded).
 :
 : In iptables, every incoming packet traverses the PREROUTING chains in the
 : conntrack (implicit), mangle and nat tables.  In the PREROUTING chains,
 : you have access to --in-interface (-i) $RECEIVE_IF.  In the PREROUTING
 : chain, an output interface makes no sense, because we have no idea about
 : where the packet is going!
 :
 : Now that the PREROUTING chain has been passed, we'll route!  After
 : routing, (and assuming the packet is bound for a non-local destination),
 : the packet will enter the FORWARD chain.  Now, we know both --in-interface
 : $RECEIVE_IF and --out-interface (-o) $TRANSMIT_IF, so both options can be
 : used.
 :
 : POSTROUTING is just about the last thing before the packet is handed off
 : to the much misunderstood traffic control system.  And in this
 : chain, you'll see nalogous behaviour...the --in-interface option is not
 : available.
 :
 : Does that answer your question?
 :
 : -Martin
 :
 :  : > > For a packet that is not for local host,
 :  : > > but comes in on one interface and goes
 :  : > > out on another;
 :  : (1)
 :  : > > Will that packet traverse PREROTING, FORWARD and POSTROUTING
 :  : > > on _both_ underface, or
 :  : (2)
 :  : > > will that packet traverse PREROTING, FORWARD and POSTROUTING
 :  : > > only once, where PREROTING is when a packet "is in" the incoming
 :  : > > physical interface, and is in FORWARD and POSTROUTING when
 :  : > > the packet "is in" the outgoing interfave?
 :  : > >
 :  : > Maybe this can help :
 :  : > http://www.docum.org/stef.coene/qos/kptd/
 :  :
 :  : No. It would help if you told me what is right.
 :  : The figure I got from before, and really don't
 :  : rule out number one.
 :  :
 :  :
 :  : _______________________________________________
 :  : LARTC mailing list / LARTC@mailman.ds9a.nl
 :  : http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
 :  :
 :
 :

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/