Correct Chains to Apply Rules

Correct Chains to Apply Rules

[netfilter]

I'm trying to get a head start on a firewall/router setup and I'm unable
to test the rules since the hardware is not in place.  The simplified
initial setup will be:

Internet <----> eth0 Firewall eth1 <----> server network

My first thought on the initial setup was to allow all outbound traffic
on both interfaces and unrestricted access across both interfaces in the
FORWARD chain.   Rules will be applied to interface INPUT chains.  Both
interface (eth0 and eth1) will have a rule that allows INPUT
ESTABLISHED,RELATED.  

In the following scenario.  Someone makes a new HTTP request from the
Internet that is allowed inbound on eth0 and goes out of the eth1
interface to the HTTP server in the server network. 
The HTTP server in the server network sends the response to the original
requester.  

Does the response ever hit the INPUT chain of ETH1?  Or does it
immediately go to the FORWARD chain and out the OUTPUT chain of eth0.  

What I'm trying to accomplish is only allow certain hosts/protocols into
the server network and also only allow a very limited amount of traffic
out of the server network.  That way if anything gets compromised in the
server network I can attemp to contain it.  I'm trying to decide if
INPUT rules should be applied to ETH1 to contain traffic in the server
network or they should be applied to the OUTPUT chain on eth0.

Hope that makes sense. 

Re: Correct Chains to Apply Rules

[Pascal Hambourg]

Hello,

netfilter@buglecreek.com a écrit :
> 
> In the following scenario.  Someone makes a new HTTP request from the
> Internet that is allowed inbound on eth0 and goes out of the eth1
> interface to the HTTP server in the server network. 
> The HTTP server in the server network sends the response to the original
> requester.  
> 
> Does the response ever hit the INPUT chain of ETH1?

No.

> Or does it immediately go to the FORWARD chain

Yes.

> and out the OUTPUT chain of eth0.  

No.
The three filter chains are mutually exclusive : a packet can only go
through one of them. Forwarded packets only go through the FORWARD chain.

Re: Correct Chains to Apply Rules

[netfilter]

OK.  Thanks.  So to block/allow traffic from network A to/from network B
I would apply my rules to the FORWARD chain using a source/destination. 
The INPUT and OUTPUT chains on eth0 and eth1 are only for traffic bound
for the firewall/router box itself? 

On Tue, 17 May 2011 23:29 +0200, "Pascal Hambourg"
<pascal.mail@plouf.fr.eu.org> wrote:
> Hello,
> 
> netfilter@buglecreek.com a écrit :
> > 
> > In the following scenario.  Someone makes a new HTTP request from the
> > Internet that is allowed inbound on eth0 and goes out of the eth1
> > interface to the HTTP server in the server network. 
> > The HTTP server in the server network sends the response to the original
> > requester.  
> > 
> > Does the response ever hit the INPUT chain of ETH1?
> 
> No.
> 
> > Or does it immediately go to the FORWARD chain
> 
> Yes.
> 
> > and out the OUTPUT chain of eth0.  
> 
> No.
> The three filter chains are mutually exclusive : a packet can only go
> through one of them. Forwarded packets only go through the FORWARD chain.
> 

Re: Correct Chains to Apply Rules

[Jorge Dávila]

Incoming traffic to eth0 or eth1 can be directed to the box itself or
must be FORWARDed in the case of:

1) Incoming traffic on eth0 directed to the internal network
2) Incoming traffic on eth1 directed to Internet

Jorge.

On Tue, May 17, 2011 at 3:50 PM,  <netfilter@buglecreek.com> wrote:
> OK.  Thanks.  So to block/allow traffic from network A to/from network B
> I would apply my rules to the FORWARD chain using a source/destination.
> The INPUT and OUTPUT chains on eth0 and eth1 are only for traffic bound
> for the firewall/router box itself?
>
> On Tue, 17 May 2011 23:29 +0200, "Pascal Hambourg"
> <pascal.mail@plouf.fr.eu.org> wrote:
>> Hello,
>>
>> netfilter@buglecreek.com a écrit :
>> >
>> > In the following scenario.  Someone makes a new HTTP request from the
>> > Internet that is allowed inbound on eth0 and goes out of the eth1
>> > interface to the HTTP server in the server network.
>> > The HTTP server in the server network sends the response to the original
>> > requester.
>> >
>> > Does the response ever hit the INPUT chain of ETH1?
>>
>> No.
>>
>> > Or does it immediately go to the FORWARD chain
>>
>> Yes.
>>
>> > and out the OUTPUT chain of eth0.
>>
>> No.
>> The three filter chains are mutually exclusive : a packet can only go
>> through one of them. Forwarded packets only go through the FORWARD chain.
>>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>



-- 
Jorge Isaac Dávila López
+505 8430 5462
jorgedavilalopez@gmail.com
---

Re: Correct Chains to Apply Rules

[Andrew Beverley]

On Tue, 2011-05-17 at 15:50 -0600, netfilter@buglecreek.com wrote:

Please don't top post.

> OK.  Thanks.  So to block/allow traffic from network A to/from network B
> I would apply my rules to the FORWARD chain using a source/destination. 

Yes.

> The INPUT and OUTPUT chains on eth0 and eth1 are only for traffic bound
> for the firewall/router box itself? 

Yes.

A picture paints a thousand words:

http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg

Or if you want a simpler version:

http://www.docum.org/docum.org/kptd/

Andy