Correct Chains to Apply Rules

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: netfilter@buglecreek.com
To: netfilter@vger.kernel.org
Subject: Correct Chains to Apply Rules
Date: Tue, 17 May 2011 15:14:51 -0600	[thread overview]
Message-ID: <1305666891.6262.1453014301@webmail.messagingengine.com> (raw)

I'm trying to get a head start on a firewall/router setup and I'm unable
to test the rules since the hardware is not in place.  The simplified
initial setup will be:

Internet <----> eth0 Firewall eth1 <----> server network

My first thought on the initial setup was to allow all outbound traffic
on both interfaces and unrestricted access across both interfaces in the
FORWARD chain.   Rules will be applied to interface INPUT chains.  Both
interface (eth0 and eth1) will have a rule that allows INPUT
ESTABLISHED,RELATED.  

In the following scenario.  Someone makes a new HTTP request from the
Internet that is allowed inbound on eth0 and goes out of the eth1
interface to the HTTP server in the server network. 
The HTTP server in the server network sends the response to the original
requester.  

Does the response ever hit the INPUT chain of ETH1?  Or does it
immediately go to the FORWARD chain and out the OUTPUT chain of eth0.  

What I'm trying to accomplish is only allow certain hosts/protocols into
the server network and also only allow a very limited amount of traffic
out of the server network.  That way if anything gets compromised in the
server network I can attemp to contain it.  I'm trying to decide if
INPUT rules should be applied to ETH1 to contain traffic in the server
network or they should be applied to the OUTPUT chain on eth0.

Hope that makes sense.

next             reply	other threads:[~2011-05-17 21:14 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-05-17 21:14 netfilter [this message]
2011-05-17 21:29 ` Correct Chains to Apply Rules Pascal Hambourg
2011-05-17 21:50   ` netfilter
2011-05-17 22:06     ` Jorge Dávila
2011-05-17 22:19     ` Andrew Beverley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1305666891.6262.1453014301@webmail.messagingengine.com \
    --to=netfilter@buglecreek.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).