Routing decision?

Routing decision?

[Wim Ceulemans]

[-- Attachment #1: Type: text/plain, Size: 827 bytes --]

Hi

In paragraph 6.2 of the iptables-tutorial the following is said:
"The OUTPUT chain is used for altering locally generated packets (i.e., 
on the firewall) before they get to the routing decision.

But in paragraph 3.1, the "Traversing of tables and chains" diagram, we 
see the "Routing decision" is listed after the "Local process" and
BEFORE! the packet goes to the output chain.

So which one is right? Does the routing decision take place after or 
before the packet travels through the output chain?

Regards

-- 
Wim Ceulemans
R&D Engineer

Secure Internet Communication with aXs Guard

Able NV
Leuvensesteenweg 282 - B-3190 Boortmeerbeek - Belgium
Phone: + 32 15 50.44.00 - Fax: + 32 15 50.44.09
E-mail: wim.ceulemans@able.be



--
Security check on this e-mail has been done by aXs GUARD
(http://www.axsguard.com)

Re: Routing decision?

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 982 bytes --]

On Mon, 2003-09-15 at 10:49, Wim Ceulemans wrote:
> Hi
> 
> In paragraph 6.2 of the iptables-tutorial the following is said:
> "The OUTPUT chain is used for altering locally generated packets (i.e., 
> on the firewall) before they get to the routing decision.
> 
> But in paragraph 3.1, the "Traversing of tables and chains" diagram, we 
> see the "Routing decision" is listed after the "Local process" and
> BEFORE! the packet goes to the output chain.
> 
> So which one is right? Does the routing decision take place after or 
> before the packet travels through the output chain?

Are you not getting confused with 'locally generated' and 'local
process'. They are not the same thing.

> 
> Regards
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Routing decision?

[Wim Ceulemans]

[-- Attachment #1: Type: text/plain, Size: 1326 bytes --]

Hi Ray

In my opinion 'locally generated packets' can only be generated by a 
local process.
So in the diagram where it says 'local process', that's where the 
'locally generated packets' start
their way through the kernel. Where's the difference?

Regards
Wim

Ray Leach wrote:

>On Mon, 2003-09-15 at 10:49, Wim Ceulemans wrote:
>  
>
>>Hi
>>
>>In paragraph 6.2 of the iptables-tutorial the following is said:
>>"The OUTPUT chain is used for altering locally generated packets (i.e., 
>>on the firewall) before they get to the routing decision.
>>
>>But in paragraph 3.1, the "Traversing of tables and chains" diagram, we 
>>see the "Routing decision" is listed after the "Local process" and
>>BEFORE! the packet goes to the output chain.
>>
>>So which one is right? Does the routing decision take place after or 
>>before the packet travels through the output chain?
>>    
>>
>
>Are you not getting confused with 'locally generated' and 'local
>process'. They are not the same thing.
>
>  
>
>>Regards
>>    
>>


-- 
Wim Ceulemans
R&D Engineer

Secure Internet Communication with aXs Guard

Able NV
Leuvensesteenweg 282 - B-3190 Boortmeerbeek - Belgium
Phone: + 32 15 50.44.00 - Fax: + 32 15 50.44.09
E-mail: wim.ceulemans@able.be



--
Security check on this e-mail has been done by aXs GUARD
(http://www.axsguard.com)

Re: Routing decision?

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 1511 bytes --]

On Mon, 2003-09-15 at 12:44, Wim Ceulemans wrote:
> Hi Ray
> 
> In my opinion 'locally generated packets' can only be generated by a 
> local process.
> So in the diagram where it says 'local process', that's where the 
> 'locally generated packets' start
> their way through the kernel. Where's the difference?
> 
What about packets that get SNATed?
Where are they generated?

> Regards
> Wim
> 
> Ray Leach wrote:
> 
> >On Mon, 2003-09-15 at 10:49, Wim Ceulemans wrote:
> >  
> >
> >>Hi
> >>
> >>In paragraph 6.2 of the iptables-tutorial the following is said:
> >>"The OUTPUT chain is used for altering locally generated packets (i.e., 
> >>on the firewall) before they get to the routing decision.
> >>
> >>But in paragraph 3.1, the "Traversing of tables and chains" diagram, we 
> >>see the "Routing decision" is listed after the "Local process" and
> >>BEFORE! the packet goes to the output chain.
> >>
> >>So which one is right? Does the routing decision take place after or 
> >>before the packet travels through the output chain?
> >>    
> >>
> >
> >Are you not getting confused with 'locally generated' and 'local
> >process'. They are not the same thing.
> >
> >  
> >
> >>Regards
> >>    
> >>
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Routing decision?

[Wim Ceulemans]

[-- Attachment #1: Type: text/plain, Size: 2097 bytes --]

Ray

Do you mean that if I masquerade all my packets behind the firewall, 
that they are
considered as locally generated because due to the masquerading their 
source IP is changed?

This would mean that these packets would travel through the FORWARD 
chain and then through
the OUTPUT chain. And then the 'Kernel packet travelling diagram' would 
be completely wrong,
because packets come only in the OUTPUT chain if they originate from a 
local process.

Regards
Wim

Ray Leach wrote:

>On Mon, 2003-09-15 at 12:44, Wim Ceulemans wrote:
>  
>
>>Hi Ray
>>
>>In my opinion 'locally generated packets' can only be generated by a 
>>local process.
>>So in the diagram where it says 'local process', that's where the 
>>'locally generated packets' start
>>their way through the kernel. Where's the difference?
>>
>>    
>>
>What about packets that get SNATed?
>Where are they generated?
>
>  
>
>>Regards
>>Wim
>>
>>Ray Leach wrote:
>>
>>    
>>
>>>On Mon, 2003-09-15 at 10:49, Wim Ceulemans wrote:
>>> 
>>>
>>>      
>>>
>>>>Hi
>>>>
>>>>In paragraph 6.2 of the iptables-tutorial the following is said:
>>>>"The OUTPUT chain is used for altering locally generated packets (i.e., 
>>>>on the firewall) before they get to the routing decision.
>>>>
>>>>But in paragraph 3.1, the "Traversing of tables and chains" diagram, we 
>>>>see the "Routing decision" is listed after the "Local process" and
>>>>BEFORE! the packet goes to the output chain.
>>>>
>>>>So which one is right? Does the routing decision take place after or 
>>>>before the packet travels through the output chain?
>>>>   
>>>>
>>>>        
>>>>
>>>Are you not getting confused with 'locally generated' and 'local
>>>process'. They are not the same thing.
>>>
>>> 
>>>
>>>      
>>>
>>>>Regards
>>>>   
>>>>
>>>>        
>>>>


-- 
Wim Ceulemans
R&D Engineer

Secure Internet Communication with aXs Guard

Able NV
Leuvensesteenweg 282 - B-3190 Boortmeerbeek - Belgium
Phone: + 32 15 50.44.00 - Fax: + 32 15 50.44.09
E-mail: wim.ceulemans@able.be



--
Security check on this e-mail has been done by aXs GUARD
(http://www.axsguard.com)

Re: Routing decision?

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 2643 bytes --]

On Mon, 2003-09-15 at 14:53, Wim Ceulemans wrote:
> Ray
> 
> Do you mean that if I masquerade all my packets behind the firewall, 
> that they are
> considered as locally generated because due to the masquerading their 
> source IP is changed?
> 
> This would mean that these packets would travel through the FORWARD 
> chain and then through
> the OUTPUT chain. And then the 'Kernel packet travelling diagram' would 
> be completely wrong,
> because packets come only in the OUTPUT chain if they originate from a 
> local process.

No, it was a question ... I don't think they are locally generated.

I think that the aliases on the interface have something to do with it.
I have had to add input and output rules in some situations to get DNAT
to work the way it is supposed to (redirect to a different destination).

It is strange.

> 
> Regards
> Wim
> 
> Ray Leach wrote:
> 
> >On Mon, 2003-09-15 at 12:44, Wim Ceulemans wrote:
> >  
> >
> >>Hi Ray
> >>
> >>In my opinion 'locally generated packets' can only be generated by a 
> >>local process.
> >>So in the diagram where it says 'local process', that's where the 
> >>'locally generated packets' start
> >>their way through the kernel. Where's the difference?
> >>
> >>    
> >>
> >What about packets that get SNATed?
> >Where are they generated?
> >
> >  
> >
> >>Regards
> >>Wim
> >>
> >>Ray Leach wrote:
> >>
> >>    
> >>
> >>>On Mon, 2003-09-15 at 10:49, Wim Ceulemans wrote:
> >>> 
> >>>
> >>>      
> >>>
> >>>>Hi
> >>>>
> >>>>In paragraph 6.2 of the iptables-tutorial the following is said:
> >>>>"The OUTPUT chain is used for altering locally generated packets (i.e., 
> >>>>on the firewall) before they get to the routing decision.
> >>>>
> >>>>But in paragraph 3.1, the "Traversing of tables and chains" diagram, we 
> >>>>see the "Routing decision" is listed after the "Local process" and
> >>>>BEFORE! the packet goes to the output chain.
> >>>>
> >>>>So which one is right? Does the routing decision take place after or 
> >>>>before the packet travels through the output chain?
> >>>>   
> >>>>
> >>>>        
> >>>>
> >>>Are you not getting confused with 'locally generated' and 'local
> >>>process'. They are not the same thing.
> >>>
> >>> 
> >>>
> >>>      
> >>>
> >>>>Regards
> >>>>   
> >>>>
> >>>>        
> >>>>
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Routing decision?

[Cedric Blancher]

Le lun 15/09/2003 à 15:09, Ray Leach a écrit :
> I think that the aliases on the interface have something to do with it.

Nope.
When you DNAT an IP address that does not belong to your DNATing box,
there won't be anybody to answer prior router ARP requests on it, unless
you either set an alias up or tell this router that the IP as to get
routed through the DNATing box.

> I have had to add input and output rules in some situations to get DNAT
> to work the way it is supposed to (redirect to a different destination).
> It is strange.

Yes it is. I can get DNAT working without specifying any INPUT or OUTPUT
chain. Can you illustrate a situation for which you have to specify
INPUT and OUTPUT rules ?

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: Routing decision?

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 1792 bytes --]

On Mon, 2003-09-15 at 15:31, Cedric Blancher wrote:
> Le lun 15/09/2003 à 15:09, Ray Leach a écrit :
> > I think that the aliases on the interface have something to do with it.
> 
> Nope.
> When you DNAT an IP address that does not belong to your DNATing box,
> there won't be anybody to answer prior router ARP requests on it, unless
> you either set an alias up or tell this router that the IP as to get
> routed through the DNATing box.
> 
> > I have had to add input and output rules in some situations to get DNAT
> > to work the way it is supposed to (redirect to a different destination).
> > It is strange.
> 
> Yes it is. I can get DNAT working without specifying any INPUT or OUTPUT
> chain. Can you illustrate a situation for which you have to specify
> INPUT and OUTPUT rules ?
Sure.

My firewall machine currently has 5 NICs, each with their own ip (one
has a public ip - eth0)
eth0 has the public ip. It also has 10 alias ips.
eth1 has a private ip of 192.168.1.1.
eth1 network is my dmz with all the web servers from 192.168.1.165 to
192.168.1.173.

If I want to DNAT incoming traffic destined to on of the aliases bound
to interface eth0 to a server in the dmz - eth1 192.168.1.165 (for
example), then I need :

 - a PREROUTING DNAT rule
 - a FORWAORD rule for each direction (eth0 -> eth1 and eth1 -> eth0)
 - and an INPUT rule for eth0 alias ip.

Does that make sense?

If I remove the INPUT rule, my DNAT does not work, the packets get sent
to the OUTPUT chain ...

Ray

-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Routing decision?

[Cedric Blancher]

Le lun 15/09/2003 à 15:46, Ray Leach a écrit :
> My firewall machine currently has 5 NICs, each with their own ip (one
> has a public ip - eth0)
> eth0 has the public ip. It also has 10 alias ips.
> eth1 has a private ip of 192.168.1.1.
> eth1 network is my dmz with all the web servers from 192.168.1.165 to
> 192.168.1.173.
> If I want to DNAT incoming traffic destined to on of the aliases bound
> to interface eth0 to a server in the dmz - eth1 192.168.1.165 (for
> example), then I need :
>  - a PREROUTING DNAT rule
>  - a FORWAORD rule for each direction (eth0 -> eth1 and eth1 -> eth0)
>  - and an INPUT rule for eth0 alias ip.
> Does that make sense?

Not to me. Supposing alias i set up (using iproute or ifconfig) I would
do this (and I think you did this) :

	iptables -t nat -A PREROUTING -d $ALIAS -i eth0 -j DNAT \
		--to 192.168.1.165
	iptables -A FORWARD -d 192.168.1.165 -i eth0 -o eth1 -j ACCEPT
	iptables -A FORWARD -s 192.168.1.165 -i eth1 -o eth0 -j ACCEPT

And that's all to set a DNAT for incoming packets.

> If I remove the INPUT rule, my DNAT does not work, the packets get sent
> to the OUTPUT chain ...

What is the INPUT rule ? Once your packet gets DNATed in PREROUTING, it
is not sent to NF_IP_LOCAL_IN, but to NF_IP_FORWARD. Thus, it does not
cross filter table INPUT chain. If packets go through INPUT chain, that
means they're still destined to the alias IP, so that the DNAT rule did
not match them.
And I do not see how packets could go to OUTPUT chain as they're
supposed to get routed, not locally generated... The only case I see is
REDIRECT target use on a local proxy, so packets go through INPUT, then
proxy reply sent through OUTPUT chain.

I'm a bit lost on this one.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: Routing decision?

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 2396 bytes --]

On Mon, 2003-09-15 at 16:00, Cedric Blancher wrote:
> Le lun 15/09/2003 à 15:46, Ray Leach a écrit :
> > My firewall machine currently has 5 NICs, each with their own ip (one
> > has a public ip - eth0)
> > eth0 has the public ip. It also has 10 alias ips.
> > eth1 has a private ip of 192.168.1.1.
> > eth1 network is my dmz with all the web servers from 192.168.1.165 to
> > 192.168.1.173.
> > If I want to DNAT incoming traffic destined to on of the aliases bound
> > to interface eth0 to a server in the dmz - eth1 192.168.1.165 (for
> > example), then I need :
> >  - a PREROUTING DNAT rule
> >  - a FORWAORD rule for each direction (eth0 -> eth1 and eth1 -> eth0)
> >  - and an INPUT rule for eth0 alias ip.
> > Does that make sense?
> 
> Not to me. Supposing alias i set up (using iproute or ifconfig) I would
> do this (and I think you did this) :
> 
> 	iptables -t nat -A PREROUTING -d $ALIAS -i eth0 -j DNAT \
> 		--to 192.168.1.165
> 	iptables -A FORWARD -d 192.168.1.165 -i eth0 -o eth1 -j ACCEPT
> 	iptables -A FORWARD -s 192.168.1.165 -i eth1 -o eth0 -j ACCEPT
> 
> And that's all to set a DNAT for incoming packets.
> 
> > If I remove the INPUT rule, my DNAT does not work, the packets get sent
> > to the OUTPUT chain ...
> 
> What is the INPUT rule ? Once your packet gets DNATed in PREROUTING, it
> is not sent to NF_IP_LOCAL_IN, but to NF_IP_FORWARD. Thus, it does not
> cross filter table INPUT chain. If packets go through INPUT chain, that
> means they're still destined to the alias IP, so that the DNAT rule did
> not match them.
> And I do not see how packets could go to OUTPUT chain as they're
> supposed to get routed, not locally generated... The only case I see is
> REDIRECT target use on a local proxy, so packets go through INPUT, then
> proxy reply sent through OUTPUT chain.
Now that's a possibility! I didn't even think of that. I do have a
transparent squid proxy running on that machine.

I suppose I was watching the traffic going through the proxy (probably
because I was testing from a local machine).

Thanks


> 
> I'm a bit lost on this one.
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]