From: Lopsch <lopsch@lopsch.com>
To: netfilter@lists.netfilter.org
Subject: Re: questions about chain traversal, new ascii diagram
Date: Thu, 06 Jan 2005 18:49:09 +0100 [thread overview]
Message-ID: <41DD7A15.6050405@lopsch.com> (raw)
In-Reply-To: <BAY101-F121798A658C0B56334F8D7DF930@phx.gbl>
[-- Attachment #1: Type: text/plain, Size: 2427 bytes --]
Curby . schrieb:
> Hi, I'm in the process of building a three-interface firewall and I have
> some questions about how the different chains see NAT packets and
> locally-generated packets.
>
> Firstly, if I just do filtering in the INPUT/OUTPUT chains, NAT-ed
> packets will not traverse those chains, so I figure I should probably
> put similar filtering rules in the FORWARD chain? (For example, I'd like
> to be able to block all my internal users from accessing certain sites,
> or block incoming traffic sent by bad hosts from being port-forwarded to
> internal servers).
>
> If I was trying to block incoming traffic from bad hosts, why not simply
> put the filters in the PREROUTING chain instead of both INPUT and
> FORWARD? Is it because the nat table is intended for just nat and doing
> filtering there would be ugly, or would it actually fail to work?
>
> I read in http://davidcoulson.net/writing/lxf/14/iptables.pdf (on the
> netfilter.org documentation page) that nat's OUTPUT chain performs DNAT
> on outgoing packets originating from the server, and POSTROUTING
> performs SNAT on outgoing packets passing through the firewall from
> other hosts. If I have two Internet-facing IPs and would like to SNAT
> locally-generated traffic to one or the other, it would appear that
> iptables wouldn't let me do that very easily, right? What is the
> purpose of nat's OUTPUT chain (in other words, when would I want to DNAT
> locally-generated traffic)?
>
> In what order does locally-generated traffic traverse the OUTPUT chains
> of filter and nat tables?
>
> Lastly, aside from those issues, is the diagram below a reasonable
> representation? The only diagrams I found on chain traversal dealt with
> the nat and filter tables separately, but I'm hoping that it's possible
> to show them together. (I hope hotmail doesn't completely destroy this
> ascii hehe).
>
> # -->n.PREROUT-->routing decision-->f.FORWARD-->n.POSTROUT--,-->
> # | ,-------------^
> # v |
> # f.INPUT f.OUTPUT, n.OUTPUT
> # | ^
> # `--->local process----'
>
> Thanks!
>
> --curby
>
>
http://joerg.fruehbrodt.bei.t-online.de/pics/abb3_netfilter_ablaufdiagramm.jpg
What about the mangle decisions, do you also want to include them :D?
--
PGP-ID 0xF8EAF138
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
next prev parent reply other threads:[~2005-01-06 17:49 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-06 17:23 questions about chain traversal, new ascii diagram Curby .
2005-01-06 17:49 ` Lopsch [this message]
2005-01-06 19:20 ` Curby .
2005-01-07 2:12 ` John A. Sullivan III
2005-01-07 22:08 ` Andy Furniss
2005-01-06 20:50 ` Ipfilter for DHCP client sisdis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41DD7A15.6050405@lopsch.com \
--to=lopsch@lopsch.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox