I want to understand the concept

I want to understand the concept

[Linux linux]

Hello?

I want to understand the difference b/w following
things

Q1. What is the difference b/w these 2 command

iptables -A FORWARD -s 192.168.0.1 -j DROP
iptables -t mangle -A FORWARD -s 192.168.0.1 -j DROP

what is the difference b/w 

FORWARD of filter table?
FORWARD of mangle table?

Q2. What is the difference b/w POSTROUTING and
PREROUTING?

Q3. What is the difference b/w SNAT and DNAT?


Q4. What is the difference b/w that

How i can understand 

FOR FILTER TABLE?

what is my source in FORWARD chain of FILTER table
what is my dstination in FORWARD chain of FILTER table

what is my source in INPUT chain of FILTER table
what is my dstination in INPUT chain of FILTER table

what is my source in OUTPUT chain of FILTER table
what is my destination in OUTPUT chain of FILTER table

FOR NAT TABLE?

what is my source in INPUT chain of MANGLE table
what is my dstination in INPUT chain of MANGLE table

what is my source in FORWARD chain of MANGLE table
what is my dstination in FORWARD chain of MANGLE table

what is my source in OUTPUT chain of MANGLE table
what is my destination in OUTPUT chain of MANGLE table

what is my source in PREROUTING chain of MANGLE table
what is my destination in PREROUTING chain of MANGLE
table

what is my source in POSTROUTING chain of MANGLE table
what is my destination in POSTROUTING chain of MANGLE
table


FOR NAT TABLE?

what is my source in OUTPUT chain of NAT table
what is my destination in OUTPUT chain of NAT table

what is my source in PREROUTING chain of NAT table
what is my destination in PREROUTING chain of NAT
table

what is my source in POSTROUTING chain of NAT table
what is my destination in POSTROUTING chain of NAT
table


Regards
Khan










__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

RE: I want to understand the concept

[Rob Sterenborg]

> Hello?
> 
> I want to understand the difference b/w following
> things
> 
> Q1. What is the difference b/w these 2 command
> 
> iptables -A FORWARD -s 192.168.0.1 -j DROP
> iptables -t mangle -A FORWARD -s 192.168.0.1 -j DROP

You SHOULD NOT FILTER in tables other than the filter table (the first
rule).

> what is the difference b/w
> 
> FORWARD of filter table?
> FORWARD of mangle table?

Using the mangle table you can alter packets in the FORWARD chain.
In the filter table you cannot.
In the mangle table you can filter packets, but you SHOUD NOT.

> Q2. What is the difference b/w POSTROUTING and
> PREROUTING?

Exactly what the names say : 
- PREROUTING : things to be done *before routing* like DNAT,
- POSTROUTING : things to be done *after routing* like SNAT.

> Q3. What is the difference b/w SNAT and DNAT?

Hmm.. Did you read any tutorial at all ?

SNAT is used to "masquerade" (not exactly..) your internal, private, IP
addresses so your client can connect to the internet.
DNAT can be used to do portforwarding, for example when you run a
webserver behind the firewall.

> Q4. What is the difference b/w that
> 
> How i can understand
> 
> FOR FILTER TABLE?
> 
> what is my source in FORWARD chain of FILTER table

The IP of original sender of the packet.

> what is my dstination in FORWARD chain of FILTER table

The IP of the actual recipient of the packet (so, if you use a
PREROUTING DNAT rule, you'd use that IP there).

> what is my source in INPUT chain of FILTER table

The IP of the machine the packets (or seems to) comes from.

> what is my dstination in INPUT chain of FILTER table

127.0.0.1 or one of your local IP addresses.

> what is my source in OUTPUT chain of FILTER table

127.0.0.1 or one of your local IP addresses.

> what is my destination in OUTPUT chain of FILTER table

The IP of the machine the packets (or seems to) go to.

> FOR NAT TABLE?

I'm not going to answer these. See below.

> FOR NAT TABLE?

Nor am I going to answer these.
I think you need to read this before doing anything else...

http://iptables-tutorial.frozentux.net/iptables-tutorial.html

http://www.aptalaska.net/~jclive/IPTablesFlowChart.pdf

http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png


Gr,
Rob

Re: I want to understand the concept

[Andrew Walrond]

On Sunday 05 February 2006 09:22, Rob Sterenborg wrote:
>
> Hmm.. Did you read any tutorial at all ?
>

I think you just did his homework for him ;(

RE: I want to understand the concept

[Rob Sterenborg]

>> Hmm.. Did you read any tutorial at all ?
>> 
> 
> I think you just did his homework for him ;(

Yeah, well, not all of it.. This is not enough for what I think he wants
to do, so he'll still have to read (the) tutorial(s) and track the
flowchart(s).


Gr,
Rob

Re: I want to understand the concept

[Krzysztof Matusik]

Dnia niedziela, 5 lutego 2006 10:22, Rob Sterenborg napisa³:

> You SHOULD NOT FILTER in tables other than the filter table (the first
> rule).
>

> Using the mangle table you can alter packets in the FORWARD chain.
> In the filter table you cannot.
> In the mangle table you can filter packets, but you SHOUD NOT.

Why one SHOULD NOT filter in the mangle chain? Are there any philosophical 
reasons? Is it a sin? Does it make kernel angry? :->
Performance?

> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
>
> http://www.aptalaska.net/~jclive/IPTablesFlowChart.pdf
>
> http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png

Thx for links! Really great.

Krzysztof

RE: I want to understand the concept

[Rob Sterenborg]

>> You SHOULD NOT FILTER in tables other than the filter table (the
>> first rule). 
> 
>> Using the mangle table you can alter packets in the FORWARD chain.
>> In the filter table you cannot.
>> In the mangle table you can filter packets, but you SHOUD NOT.
> 
> Why one SHOULD NOT filter in the mangle chain? Are there any
> philosophical reasons? Is it a sin? Does it make kernel angry? :->
> Performance? 

Yes, it will make your kernel yell at you, crash and then go up in
flames. ;^P

No, seriously, some people think otherwise because they haven't had
problems (yet), but if you're going to filter in the nat or mangle table
you may get unexpected results that would not have happened if you
filtered in the filter table.
When questions like these are asked I'd say that the OP doesn't really
know what's going on regarding packet-flow and should stick to filtering
in the filter chain. That's what that table is for.


Gr,
Rob