Need help with basic understanding of IPtables

Need help with basic understanding of IPtables

[Bob Von Ilten]

I have just installed IPtables and have been reading as many FAQs as I
can stand, (which come to think of it may be part of my problem :-) ) at
any rate I have come to a basic understanding that the INPUT and OUTPUT
chains of the filter table refer to the following.  Please correct me if
I am wrong.  The INPUT chain refers to packets that are entering the
TCP/IP protocol stack from any interface not just the NIC or NICs
connected to the internet.  The OUTPUT chain refers to packets that are
leaving the stack for some destination either on the internet or on the
LAN.  The NAT table is used for any packets that are in transition
between INPUT and OUTPUT.

Bob Von Ilten
Director of Info Sys
Holt Public Schools

Re: Need help with basic understanding of IPtables

[Jason Opperisano]

On Mon, Oct 25, 2004 at 02:41:41PM -0400, Bob Von Ilten wrote:
> I have just installed IPtables and have been reading as many FAQs as I
> can stand, (which come to think of it may be part of my problem :-) ) at
> any rate I have come to a basic understanding that the INPUT and OUTPUT
> chains of the filter table refer to the following.  Please correct me if
> I am wrong.  The INPUT chain refers to packets that are entering the
> TCP/IP protocol stack from any interface not just the NIC or NICs
> connected to the internet.  The OUTPUT chain refers to packets that are
> leaving the stack for some destination either on the internet or on the
> LAN.  The NAT table is used for any packets that are in transition
> between INPUT and OUTPUT.

no--not even close.

INPUT is for packets whose DESTINATION is a local IP address on this
machine

OUTPUT is for packets whose SOURCE is a local IP address on this machine

FORWARD is for packets whose SOURCE and DESTINATION are not a local
IP address on this machine

those three chains are the built-in chains of the FILTER table.

in addition to the FILTER table, you also have the NAT and MANGLE
tables.

while there is nothing stopping you from performing filtering in the NAT
or MANGLE tables, the targets that perform NAT and MANGLING are only
valid in those respective tables.  for example, the MASQUERADE target is
only valid in the POSTROUTING chain of the NAT table.

have you been reading:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html

specifically:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TRAVERSINGOFTABLES

-j

-- 
Jason Opperisano <opie@817west.com>

Re: Need help with basic understanding of IPtables

[Kenneth Porter]

--On Monday, October 25, 2004 3:38 PM -0400 Jason Opperisano 
<opie@817west.com> wrote:

> a local IP address on this machine

Also note that this includes virtual interfaces, tunnel interfaces (the 
tun/tap driver, typically used in VPN's), and the loopback interface. It's 
not just NIC's.

Re: Need help with basic understanding of IPtables

[Jason Opperisano]

On Mon, Oct 25, 2004 at 12:50:50PM -0700, Kenneth Porter wrote:
> --On Monday, October 25, 2004 3:38 PM -0400 Jason Opperisano 
> <opie@817west.com> wrote:
> 
> >a local IP address on this machine
> 
> Also note that this includes virtual interfaces, tunnel interfaces (the 
> tun/tap driver, typically used in VPN's), and the loopback interface. It's 
> not just NIC's.

which is why i said "a local IP address on this machine" and not "a
physical interface on this machine."

-j

-- 
Jason Opperisano <opie@817west.com>

Re: Need help with basic understanding of IPtables

[Frank Gruellich]

* Kenneth Porter <shiva@sewingwitch.com> 25. Oct 04:
> --On Monday, October 25, 2004 3:38 PM -0400 Jason Opperisano 
> <opie@817west.com> wrote:
> >a local IP address on this machine
> Also note that this includes virtual interfaces, tunnel interfaces (the 
> tun/tap driver, typically used in VPN's), and the loopback interface. It's 
> not just NIC's.

IP numbers belong to the IP stack and have nothing to do with
interfaces.  This idea is completely useless, forget it, this will make
things (eg. routing) a lot more understandable.  From this point of
view, Jasons posting is IMHO very clear.

 Regards, Frank.
-- 
Sigmentation fault

Re: Need help with basic understanding of IPtables

[Kenneth Porter]

--On Monday, October 25, 2004 10:01 PM +0200 Frank Gruellich 
<frank@der-frank.org> wrote:

> IP numbers belong to the IP stack and have nothing to do with
> interfaces.  This idea is completely useless, forget it, this will make
> things (eg. routing) a lot more understandable.  From this point of
> view, Jasons posting is IMHO very clear.

I only point it out because not everyone knows that there's a difference, 
and may think that the non-NIC interfaces are immune. I remember setting up 
my first ipchains firewall and thinking it odd that I needed explicit rules 
for the loopback interface, but it makes perfect sense in hindsight.

Re: Need help with basic understanding of IPtables

[Les Mikesell]

On Mon, 2004-10-25 at 16:23, Kenneth Porter wrote:

> > IP numbers belong to the IP stack and have nothing to do with
> > interfaces.  This idea is completely useless, forget it, this will make
> > things (eg. routing) a lot more understandable.  From this point of
> > view, Jasons posting is IMHO very clear.
> 
> I only point it out because not everyone knows that there's a difference, 
> and may think that the non-NIC interfaces are immune. I remember setting up 
> my first ipchains firewall and thinking it odd that I needed explicit rules 
> for the loopback interface, but it makes perfect sense in hindsight.

The part that I think is weird is that NAT may be tied to an interface
when first applied, but even if routes are changed so that packets
to a particular address no longer go through that interface, any
that have an entry in the ip_conntrack table continue to have
the NAT applied.  Is this intentional?

---
  Les Mikesell
   les@futuresource.com

RE: Need help with basic understanding of IPtables

[Daniel Chemko]

Unfortunately, your description is all wrong. Please refer to this
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TRAVERSING
OFTABLES for info.