interface vs ip

interface vs ip

[P theodorou]

Im new to this therefore i need to clarify the followings

1)can i send or recieve packets from interface to ip and vise versa

or  only to interfaces and only to ips

2)

I want to let icmp packets from 192.168.0.1(eth1) to 192.168.1.1(eth2)

is it safer to declare

iptables -A INPUT  -i eth1   -o eth2 -J ACCEPT

or
iptables -A INPUT -s 192.168.0.1 -d 192.168.1.1

Thank You

Re: interface vs ip

[Mariusz Kruk]

P theodorou napisa³(a):
> Im new to this therefore i need to clarify the followings
> 
> 1)can i send or recieve packets from interface to ip and vise versa
> 
> or  only to interfaces and only to ips
> 
> 2)
> 
> I want to let icmp packets from 192.168.0.1(eth1) to 192.168.1.1(eth2)
> 
> is it safer to declare
> 
> iptables -A INPUT  -i eth1   -o eth2 -J ACCEPT
> 
> or
> iptables -A INPUT -s 192.168.0.1 -d 192.168.1.1

It depends on what you really want to do. If you want to control the 
flow on the level of physical interfaces, you use -i and -o. If you want 
to control on the level of IP addresses, you use -s and -d. But that you 
already know. You can also combine both forms to, for example, filter 
out traffic which comes from a physical interface, but from IP's not 
belonging to this network. Or other similar things.
Anyway, it's up to you to decide which form is apropriate for what you 
want to achieve.
Remember tho, that you can use -s and -d in any table/chain (correct me 
if I'm wrong) regardless of whether it makes sense or not (already 
NATted or not yet and so on), but physical interfaces are limited to 
those tables/chains they make sense in. So you cannot use input 
interface in POSTROUTING because netfilter simply doesn't know which 
interface the packet came from.

RE: interface vs ip

[Derick Anderson]

 

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of P 
> theodorou
> Sent: Tuesday, September 27, 2005 7:33 AM
> To: netfilter@lists.netfilter.org
> Subject: interface vs ip
> 
> Im new to this therefore i need to clarify the followings
> 
> 1)can i send or recieve packets from interface to ip and vise versa
> 
> or  only to interfaces and only to ips

Not sure if I understand this question but I'll give it a shot:

The short answer is you can send and receive packets from interface to
ip or vice versa. The long answer is that the details of this differ
depending on the chain you use. FORWARD is the only chain which supports
both -i and -o (inbound and outbound interfaces). The rest support
either -i or -o and I'll leave it up to you to determine how that works:

http://iptables-tutorial.frozentux.net/iptables-tutorial.html#GENERICMAT
CHES
 
> 2)
> 
> I want to let icmp packets from 192.168.0.1(eth1) to 192.168.1.1(eth2)
> 
> is it safer to declare
> 
> iptables -A INPUT  -i eth1   -o eth2 -J ACCEPT
> 
> or
> iptables -A INPUT -s 192.168.0.1 -d 192.168.1.1
> 
> Thank You

First of all -o is not valid for the INPUT chain.

Next, I'm going to assume by "safer" you mean more secure. I typically
use both -i/o and -s/d. Let's pretend you used the FORWARD chain instead
of INPUT up there, eth1's subnet is 192.168.0.0/24 and eth2's subnet is
192.168.1.0/24. You want to explicitly allow all of 192.168.0.1's
packets to 192.168.1.1. Your rule would look like this:

iptables -A FORWARD -i eth1 -o eth2 -s 192.168.0.1 -d 192.168.1.1 -j
ACCEPT

By itself this rule doesn't really help you but I think you get the
idea.

Derick Anderson