Re: FORWARD chain and Interfaces

[netfilter@buglecreek.com]

On Sat, 21 May 2011 13:23 +0200, "Pascal Hambourg"
<pascal.mail@plouf.fr.eu.org> wrote:
> Hello,
> 
> netfilter@buglecreek.com a écrit :
> > I have a firewall router box that I'm trying to write a ruleset for that
> > accepts/blocks traffic from Network A to Network B.  I'm testing the
> > rules on 3 virtual machines and will eventually deploy to production
> > hardware:
> > 
> > Net A Machine Eth0 <-> Eth0 Firewall/Router Eth1 <-> Eth0 Net B Machine
> >       192.168.99.1     192.168.99.2   10.10.10.1     10.10.10.2
> > 
> > I have the the following rules on the Firewall/Router as a test before I
> > write rules with http, ssh etc:
> > 
> > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A FORWARD -i eth0 -o eth1 -p icmp --icmp-type echo-request -s
> > 192.168.99.0/24 -d 10.10.10.0/24 -m state --state NEW -j ACCEPT
> > iptables -A FORWARD -p icmp --icmp-type echo-request -m state --state
> > NEW -j LOG --log-prefix "ICMP: "
> > 
> > When I ping from 192.168.99.1 to 10.10.10.2 it does not work.  The log
> > rule logs the packet as IN=ETH1 OUT=ETH1.
> 
> 
> Can you describe the virtual network architecture ?
> Are all the three machines above virtual guests on a same physical host
> or is one of them the physical host ?
> 
> Also, can you provide the routing table on the firewall/router as
> reported by route -n or ip route ?
> 

Based on the comments left so far, it seems that my logic is correct in
the way I view the interfaces in the forward chain.  I guess unless
there is a reason I am missing I will assume that the issue has to do
with the way the virtual machines are setup.  As the other poster
suggested, I can develop the ruleset with out the references to the
interfaces and add them when the real hardware is in place and hopefully
it will behave as I think it should.  At least I'll be able to get a
start on on the rules since it will be fast turnaround when the hardware
is in place.

As far as the virtual machines.  All three test systems are virtual. 
They run RH5 using Mac with parallels.  The routing tables are below. 
Keep in mind that this was thrown together just to test the rules.  I
manually added the GW on Net A and B machines and got ping to work from
A to B via the firewall/router with just forwarding enabled
(/proc/net/sys . . ).  Once ping worked with just forwarding enabled I
started writing the FORWARD rules as outlined above and got the
unexpected interface behavior as outlined in the original post.

Network A Machine- 
Dest                    Gateway                 Genmask                
Iface
192.168.99.0      0.0.0.0                  255.255.255.0         eth1
0.0.0.0                198.168.99.2        0.0.0.0                    
eth1

Firewall/Router Machine:
Dest                    Gateway                 Genmask                
Iface
10.10.10.0          0.0.0.0                  255.255.255.0         eth1
192.168.99.0      0.0.0.0                  255.255.255.0         eth0


Netowork B Machine
Dest                    Gateway                 Genmask                
Iface
10.10.10.0          0.0.0.0                  255.255.255.0         eth0
0.0.0.0                10.10.10.1            0.0.0.0                    
eth0