Correct Chains to Apply Rules

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Correct Chains to Apply Rules
@ 2011-05-17 21:14 netfilter
  2011-05-17 21:29 ` Pascal Hambourg
  0 siblings, 1 reply; 5+ messages in thread
From: netfilter @ 2011-05-17 21:14 UTC (permalink / raw)
  To: netfilter

I'm trying to get a head start on a firewall/router setup and I'm unable
to test the rules since the hardware is not in place.  The simplified
initial setup will be:

Internet <----> eth0 Firewall eth1 <----> server network

My first thought on the initial setup was to allow all outbound traffic
on both interfaces and unrestricted access across both interfaces in the
FORWARD chain.   Rules will be applied to interface INPUT chains.  Both
interface (eth0 and eth1) will have a rule that allows INPUT
ESTABLISHED,RELATED.  

In the following scenario.  Someone makes a new HTTP request from the
Internet that is allowed inbound on eth0 and goes out of the eth1
interface to the HTTP server in the server network. 
The HTTP server in the server network sends the response to the original
requester.  

Does the response ever hit the INPUT chain of ETH1?  Or does it
immediately go to the FORWARD chain and out the OUTPUT chain of eth0.  

What I'm trying to accomplish is only allow certain hosts/protocols into
the server network and also only allow a very limited amount of traffic
out of the server network.  That way if anything gets compromised in the
server network I can attemp to contain it.  I'm trying to decide if
INPUT rules should be applied to ETH1 to contain traffic in the server
network or they should be applied to the OUTPUT chain on eth0.

Hope that makes sense. 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Correct Chains to Apply Rules
  2011-05-17 21:14 Correct Chains to Apply Rules netfilter
@ 2011-05-17 21:29 ` Pascal Hambourg
  2011-05-17 21:50   ` netfilter
  0 siblings, 1 reply; 5+ messages in thread
From: Pascal Hambourg @ 2011-05-17 21:29 UTC (permalink / raw)
  To: netfilter; +Cc: netfilter

Hello,

netfilter@buglecreek.com a écrit :
> 
> In the following scenario.  Someone makes a new HTTP request from the
> Internet that is allowed inbound on eth0 and goes out of the eth1
> interface to the HTTP server in the server network. 
> The HTTP server in the server network sends the response to the original
> requester.  
> 
> Does the response ever hit the INPUT chain of ETH1?

No.

> Or does it immediately go to the FORWARD chain

Yes.

> and out the OUTPUT chain of eth0.  

No.
The three filter chains are mutually exclusive : a packet can only go
through one of them. Forwarded packets only go through the FORWARD chain.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Correct Chains to Apply Rules
  2011-05-17 21:29 ` Pascal Hambourg
@ 2011-05-17 21:50   ` netfilter
  2011-05-17 22:06     ` Jorge Dávila
  2011-05-17 22:19     ` Andrew Beverley
  0 siblings, 2 replies; 5+ messages in thread
From: netfilter @ 2011-05-17 21:50 UTC (permalink / raw)
  To: Pascal Hambourg; +Cc: netfilter

OK.  Thanks.  So to block/allow traffic from network A to/from network B
I would apply my rules to the FORWARD chain using a source/destination. 
The INPUT and OUTPUT chains on eth0 and eth1 are only for traffic bound
for the firewall/router box itself? 

On Tue, 17 May 2011 23:29 +0200, "Pascal Hambourg"
<pascal.mail@plouf.fr.eu.org> wrote:
> Hello,
> 
> netfilter@buglecreek.com a écrit :
> > 
> > In the following scenario.  Someone makes a new HTTP request from the
> > Internet that is allowed inbound on eth0 and goes out of the eth1
> > interface to the HTTP server in the server network. 
> > The HTTP server in the server network sends the response to the original
> > requester.  
> > 
> > Does the response ever hit the INPUT chain of ETH1?
> 
> No.
> 
> > Or does it immediately go to the FORWARD chain
> 
> Yes.
> 
> > and out the OUTPUT chain of eth0.  
> 
> No.
> The three filter chains are mutually exclusive : a packet can only go
> through one of them. Forwarded packets only go through the FORWARD chain.
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Correct Chains to Apply Rules
  2011-05-17 21:50   ` netfilter
@ 2011-05-17 22:06     ` Jorge Dávila
  2011-05-17 22:19     ` Andrew Beverley
  1 sibling, 0 replies; 5+ messages in thread
From: Jorge Dávila @ 2011-05-17 22:06 UTC (permalink / raw)
  To: netfilter

Incoming traffic to eth0 or eth1 can be directed to the box itself or
must be FORWARDed in the case of:

1) Incoming traffic on eth0 directed to the internal network
2) Incoming traffic on eth1 directed to Internet

Jorge.

On Tue, May 17, 2011 at 3:50 PM,  <netfilter@buglecreek.com> wrote:
> OK.  Thanks.  So to block/allow traffic from network A to/from network B
> I would apply my rules to the FORWARD chain using a source/destination.
> The INPUT and OUTPUT chains on eth0 and eth1 are only for traffic bound
> for the firewall/router box itself?
>
> On Tue, 17 May 2011 23:29 +0200, "Pascal Hambourg"
> <pascal.mail@plouf.fr.eu.org> wrote:
>> Hello,
>>
>> netfilter@buglecreek.com a écrit :
>> >
>> > In the following scenario.  Someone makes a new HTTP request from the
>> > Internet that is allowed inbound on eth0 and goes out of the eth1
>> > interface to the HTTP server in the server network.
>> > The HTTP server in the server network sends the response to the original
>> > requester.
>> >
>> > Does the response ever hit the INPUT chain of ETH1?
>>
>> No.
>>
>> > Or does it immediately go to the FORWARD chain
>>
>> Yes.
>>
>> > and out the OUTPUT chain of eth0.
>>
>> No.
>> The three filter chains are mutually exclusive : a packet can only go
>> through one of them. Forwarded packets only go through the FORWARD chain.
>>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>



-- 
Jorge Isaac Dávila López
+505 8430 5462
jorgedavilalopez@gmail.com
---

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Correct Chains to Apply Rules
  2011-05-17 21:50   ` netfilter
  2011-05-17 22:06     ` Jorge Dávila
@ 2011-05-17 22:19     ` Andrew Beverley
  1 sibling, 0 replies; 5+ messages in thread
From: Andrew Beverley @ 2011-05-17 22:19 UTC (permalink / raw)
  To: netfilter; +Cc: netfilter

On Tue, 2011-05-17 at 15:50 -0600, netfilter@buglecreek.com wrote:

Please don't top post.

> OK.  Thanks.  So to block/allow traffic from network A to/from network B
> I would apply my rules to the FORWARD chain using a source/destination. 

Yes.

> The INPUT and OUTPUT chains on eth0 and eth1 are only for traffic bound
> for the firewall/router box itself? 

Yes.

A picture paints a thousand words:

http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg

Or if you want a simpler version:

http://www.docum.org/docum.org/kptd/

Andy



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2011-05-17 22:19 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-05-17 21:14 Correct Chains to Apply Rules netfilter
2011-05-17 21:29 ` Pascal Hambourg
2011-05-17 21:50   ` netfilter
2011-05-17 22:06     ` Jorge Dávila
2011-05-17 22:19     ` Andrew Beverley

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).