From: Mart Frauenlob <mart.frauenlob@chello.at>
To: netfilter@vger.kernel.org
Subject: Re: Forward Chain: is Inbound traffic on eth0 not also Outbound depending on your view?
Date: Sun, 08 Nov 2009 12:54:20 +0100 [thread overview]
Message-ID: <4AF6B16C.506@chello.at> (raw)
In-Reply-To: <ac5c74140911080311g21df128fte32b05d90b233a33@mail.gmail.com>
paddy joesoap wrote:
> Dear Experts
>
> I am curious to know more about what FORWARD chain inbound and
> outbound actually mean.
>
> Example firewall set-up below:
>
> Internet --- Firewall --- PC
>
> Firewall has 2 interfaces: eth0 = External and eth1 = Internal
>
> >From what I can gather from the Netfilter website, all I need to do is
> create are inbound and outbound rules on the FORWARD chain.
>
> To allow inbound Internet access, I specify:
>
> FORWARD -i eth0
>
> To allow outbound PC access, I specify:
>
> FORWARD -o eth1
>
> The question is from whose perspective do you view what is inbound and
> what is outbound?
>
> For example, in the case of the Internet client, traffic flowing
> towards the firewall is indeed Inbound so naturally "FORWARD -i eth0"
> is required. However, isn't it also Outbound on eth1, given that it
> leaves interface eth1 to get to PC?
>
> Similarly, clients on the internal network think of their traffic as
> being outbound only, but when traffic is being "forwarded" from eth1
> to eth0 heading for the Internet, isn't that traffic classed as
> Inbound on eth0?
>
> Do I need to create rules for this scenario also or is Netfilter
> handling these implied situations?
>
> Beginner questions so apologies in advance.
> Paddy.
>
Please read this carefully and if you still have questions, ask them
afterwards:
http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TRAVERSINGOFTABLES
http://jengelh.medozas.de/images/nf-packet-flow.png
but in short:
INPUT chain = packets destined to your host
OUTPUT chain = source of packets is your host
FORWARD chain = source is external - destination is external address
(forwarded, routed)
regards
Mart
next prev parent reply other threads:[~2009-11-08 11:54 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-08 11:11 Forward Chain: is Inbound traffic on eth0 not also Outbound depending on your view? paddy joesoap
2009-11-08 11:54 ` Mart Frauenlob [this message]
2009-11-08 12:00 ` Mart Frauenlob
2009-11-08 14:21 ` Oskar Berggren
2009-11-08 14:44 ` paddy joesoap
2009-11-09 10:00 ` Mart Frauenlob
2009-11-09 10:17 ` paddy joesoap
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AF6B16C.506@chello.at \
--to=mart.frauenlob@chello.at \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).