From: Mart Frauenlob <mart.frauenlob@chello.at>
To: netfilter@vger.kernel.org
Subject: Re: Forward Chain: is Inbound traffic on eth0 not also Outbound depending on your view?
Date: Sun, 08 Nov 2009 13:00:11 +0100 [thread overview]
Message-ID: <4AF6B2CB.5090100@chello.at> (raw)
In-Reply-To: <4AF6B16C.506@chello.at>
Mart Frauenlob wrote:
> paddy joesoap wrote:
>> Dear Experts
>>
>> I am curious to know more about what FORWARD chain inbound and
>> outbound actually mean.
>>
>> Example firewall set-up below:
>>
>> Internet --- Firewall --- PC
>>
>> Firewall has 2 interfaces: eth0 = External and eth1 = Internal
>>
>> >From what I can gather from the Netfilter website, all I need to do is
>> create are inbound and outbound rules on the FORWARD chain.
>>
>> To allow inbound Internet access, I specify:
>>
>> FORWARD -i eth0
>>
>> To allow outbound PC access, I specify:
>>
>> FORWARD -o eth1
>>
>> The question is from whose perspective do you view what is inbound and
>> what is outbound?
>>
>> For example, in the case of the Internet client, traffic flowing
>> towards the firewall is indeed Inbound so naturally "FORWARD -i eth0"
>> is required. However, isn't it also Outbound on eth1, given that it
>> leaves interface eth1 to get to PC?
>>
>> Similarly, clients on the internal network think of their traffic as
>> being outbound only, but when traffic is being "forwarded" from eth1
>> to eth0 heading for the Internet, isn't that traffic classed as
>> Inbound on eth0?
>>
>> Do I need to create rules for this scenario also or is Netfilter
>> handling these implied situations?
>>
>> Beginner questions so apologies in advance.
>> Paddy.
>>
> Please read this carefully and if you still have questions, ask them
> afterwards:
>
> http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TRAVERSINGOFTABLES
>
> http://jengelh.medozas.de/images/nf-packet-flow.png
>
> but in short:
> INPUT chain = packets destined to your host
> OUTPUT chain = source of packets is your host
> FORWARD chain = source is external - destination is external address
> (forwarded, routed)
>
forgot to mention, it's your choice and may depend how exactly you
need/want a match, to specify either one or two interfaces in a FORWARD
chain rule. i.e.
iptables -A FORWARD -i eth1 -o eth0 ....
if you have only one LAN, a -o eth0 may be sufficient, but if you have
more than one LAN, you might prefer to use -i eth1 -o eth0.
regards
Mart
next prev parent reply other threads:[~2009-11-08 12:00 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-08 11:11 Forward Chain: is Inbound traffic on eth0 not also Outbound depending on your view? paddy joesoap
2009-11-08 11:54 ` Mart Frauenlob
2009-11-08 12:00 ` Mart Frauenlob [this message]
2009-11-08 14:21 ` Oskar Berggren
2009-11-08 14:44 ` paddy joesoap
2009-11-09 10:00 ` Mart Frauenlob
2009-11-09 10:17 ` paddy joesoap
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AF6B2CB.5090100@chello.at \
--to=mart.frauenlob@chello.at \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).