Forward Chain: is Inbound traffic on eth0 not also Outbound depending on your view?

Forward Chain: is Inbound traffic on eth0 not also Outbound depending on your view?

[paddy joesoap]

Dear Experts

I am curious to know more about what FORWARD chain inbound and
outbound actually mean.

Example firewall set-up below:

Internet --- Firewall --- PC

Firewall has 2 interfaces: eth0 = External and eth1 = Internal

From what I can gather from the Netfilter website, all I need to do is
create are inbound and outbound rules on the FORWARD chain.

To allow inbound Internet access, I specify:

FORWARD -i eth0

To allow outbound PC access, I specify:

FORWARD -o eth1

The question is from whose perspective do you view what is inbound and
what is outbound?

For example, in the case of the Internet client, traffic flowing
towards the firewall is indeed Inbound so naturally "FORWARD -i eth0"
is required. However, isn't it also Outbound on eth1, given that it
leaves interface eth1 to get to PC?

Similarly, clients on the internal network think of their traffic as
being outbound only, but when traffic is being "forwarded" from eth1
to eth0 heading for the Internet, isn't that traffic classed as
Inbound on eth0?

Do I need to create rules for this scenario also or is Netfilter
handling these implied situations?

Beginner questions so apologies in advance.
Paddy.

Re: Forward Chain: is Inbound traffic on eth0 not also Outbound depending on your view?

[Mart Frauenlob]

paddy joesoap wrote:
> Dear Experts
>
> I am curious to know more about what FORWARD chain inbound and
> outbound actually mean.
>
> Example firewall set-up below:
>
> Internet --- Firewall --- PC
>
> Firewall has 2 interfaces: eth0 = External and eth1 = Internal
>
> >From what I can gather from the Netfilter website, all I need to do is
> create are inbound and outbound rules on the FORWARD chain.
>
> To allow inbound Internet access, I specify:
>
> FORWARD -i eth0
>
> To allow outbound PC access, I specify:
>
> FORWARD -o eth1
>
> The question is from whose perspective do you view what is inbound and
> what is outbound?
>
> For example, in the case of the Internet client, traffic flowing
> towards the firewall is indeed Inbound so naturally "FORWARD -i eth0"
> is required. However, isn't it also Outbound on eth1, given that it
> leaves interface eth1 to get to PC?
>
> Similarly, clients on the internal network think of their traffic as
> being outbound only, but when traffic is being "forwarded" from eth1
> to eth0 heading for the Internet, isn't that traffic classed as
> Inbound on eth0?
>
> Do I need to create rules for this scenario also or is Netfilter
> handling these implied situations?
>
> Beginner questions so apologies in advance.
> Paddy.
>   
Please read this carefully and if you still have questions, ask them 
afterwards:

http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TRAVERSINGOFTABLES
http://jengelh.medozas.de/images/nf-packet-flow.png

but in short:
INPUT chain = packets destined to your host
OUTPUT chain = source of packets is your host
FORWARD chain = source is external - destination is external address 
(forwarded, routed)

regards

Mart

Re: Forward Chain: is Inbound traffic on eth0 not also Outbound depending on your view?

[Mart Frauenlob]

Mart Frauenlob wrote:
> paddy joesoap wrote:
>> Dear Experts
>>
>> I am curious to know more about what FORWARD chain inbound and
>> outbound actually mean.
>>
>> Example firewall set-up below:
>>
>> Internet --- Firewall --- PC
>>
>> Firewall has 2 interfaces: eth0 = External and eth1 = Internal
>>
>> >From what I can gather from the Netfilter website, all I need to do is
>> create are inbound and outbound rules on the FORWARD chain.
>>
>> To allow inbound Internet access, I specify:
>>
>> FORWARD -i eth0
>>
>> To allow outbound PC access, I specify:
>>
>> FORWARD -o eth1
>>
>> The question is from whose perspective do you view what is inbound and
>> what is outbound?
>>
>> For example, in the case of the Internet client, traffic flowing
>> towards the firewall is indeed Inbound so naturally "FORWARD -i eth0"
>> is required. However, isn't it also Outbound on eth1, given that it
>> leaves interface eth1 to get to PC?
>>
>> Similarly, clients on the internal network think of their traffic as
>> being outbound only, but when traffic is being "forwarded" from eth1
>> to eth0 heading for the Internet, isn't that traffic classed as
>> Inbound on eth0?
>>
>> Do I need to create rules for this scenario also or is Netfilter
>> handling these implied situations?
>>
>> Beginner questions so apologies in advance.
>> Paddy.
>>   
> Please read this carefully and if you still have questions, ask them 
> afterwards:
>
> http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TRAVERSINGOFTABLES 
>
> http://jengelh.medozas.de/images/nf-packet-flow.png
>
> but in short:
> INPUT chain = packets destined to your host
> OUTPUT chain = source of packets is your host
> FORWARD chain = source is external - destination is external address 
> (forwarded, routed)
>
forgot to mention, it's your choice and may depend how exactly you 
need/want a match, to specify either one or two interfaces in a FORWARD 
chain rule. i.e.

iptables -A FORWARD -i eth1 -o eth0 ....

if you have only one LAN, a -o eth0 may be sufficient, but if you have 
more than one LAN, you might prefer to use -i eth1 -o eth0.

regards

Mart

Re: Forward Chain: is Inbound traffic on eth0 not also Outbound depending on your view?

[Oskar Berggren]

You seem to be over-thinking in the wrong direction. :)

iptables by itself is not concerned with what you as administrator
consider "outbound" or "inbound" traffic to/from your "network".

-i <interfacename> simply mean: match traffic arriving to this machine
on this interface.
-o <interfacename> simply mean: match traffic that the routing system
says will leave this machine via this interface.

These are from the perspective of the firewall itself. What inbound
and outbound means with respect to your client machines is a different
thing.

Provided that you have no other interfaces the two rules you've
specified actually both match the same traffic: Packets arriving on
eth0 and being routed to the subnet on eth1. However, none of those
rules will match traffic arriving on eth1 (from your clients), heading
for the external network.

/Oskar


2009/11/8 paddy joesoap <paddyjoesoap@gmail.com>:
> Dear Experts
>
> I am curious to know more about what FORWARD chain inbound and
> outbound actually mean.
>
> Example firewall set-up below:
>
> Internet --- Firewall --- PC
>
> Firewall has 2 interfaces: eth0 = External and eth1 = Internal
>
> From what I can gather from the Netfilter website, all I need to do is
> create are inbound and outbound rules on the FORWARD chain.
>
> To allow inbound Internet access, I specify:
>
> FORWARD -i eth0
>
> To allow outbound PC access, I specify:
>
> FORWARD -o eth1
>
> The question is from whose perspective do you view what is inbound and
> what is outbound?
>
> For example, in the case of the Internet client, traffic flowing
> towards the firewall is indeed Inbound so naturally "FORWARD -i eth0"
> is required. However, isn't it also Outbound on eth1, given that it
> leaves interface eth1 to get to PC?
>
> Similarly, clients on the internal network think of their traffic as
> being outbound only, but when traffic is being "forwarded" from eth1
> to eth0 heading for the Internet, isn't that traffic classed as
> Inbound on eth0?
>
> Do I need to create rules for this scenario also or is Netfilter
> handling these implied situations?
>
> Beginner questions so apologies in advance.
> Paddy.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Forward Chain: is Inbound traffic on eth0 not also Outbound depending on your view?

[paddy joesoap]

Hi guy's

I was just reading through the links Mart provided to try and get a
handle on things.

Suppose this is the scenario:

Internet -- Firewall -- Web server where the firewall has eth0 =
External and eth1 = Internal

My understanding of seeing examples on the web (please correct me if I
am wrong) is that access to a web server can be permitted as follows:

Scenario 1:
iptables -A FORWARD -i eth0 -s anyIP --sport anyPort -d webServIP
--dport 80  -j ACCEPT
iptables -A FORWARD -o eth1 -s webServIP --sport 80 -d anyIP --dport
anyPort  -j ACCEPT

I was just wondering must I also include 2 other rules:

Scenario 2:
iptables -A FORWARD -i eth0 -s anyIP --sport anyPort -d webServIP
--dport 80  -j ACCEPT // external in on eth0
iptables -A FORWARD -o eth1 -s anyIP --sport anyPort -d webServIP
--dport 80  -j ACCEPT // new rule. external out on eth1 toward web
server
iptables -A FORWARD -o eth1 -s webServIP --sport 80 -d anyIP --dport
anyPort  -j ACCEPT
iptables -A FORWARD -i eth0 -s webServIP --sport 80 -d anyIP --dport
anyPort  -j ACCEPT // new rule

From what I can gather of the iptables tutorial, I don't have to worry
about the 2 new rules. Perhaps they are redundant, in the sense that
traffic is being filtered in one direction of each interface and
filtering the same kind of traffic in both directions on each
interface maybe considered duplication.

But then again what about the default policy of Drop. Would not having
these two new rules mean http traffic fails? My guess is after traffic
has been processed (from the netfilter flow diagram Maart sent)
in one direction it is the automatically routed to the second
interface without filtering. So the answer is yes, http traffic will
still get by. Correct?

This now makes me as the question why bother with filtering eth1 at
all in Scenario 1? Could the rules equally have been written as:

Scenario 3: (note single interface used, filter in both directions on eth0)
iptables -A FORWARD -i eth0 -s anyIP --sport anyPort -d webServIP
--dport 80  -j ACCEPT
iptables -A FORWARD -o eth0 -s webServIP --sport 80 -d anyIP --dport
anyPort  -j ACCEPT

Again apologies for the obvious stupidity on my part.


On Sun, Nov 8, 2009 at 2:21 PM, Oskar Berggren <oskar.berggren@gmail.com> wrote:
> You seem to be over-thinking in the wrong direction. :)
>
> iptables by itself is not concerned with what you as administrator
> consider "outbound" or "inbound" traffic to/from your "network".
>
> -i <interfacename> simply mean: match traffic arriving to this machine
> on this interface.
> -o <interfacename> simply mean: match traffic that the routing system
> says will leave this machine via this interface.
>
> These are from the perspective of the firewall itself. What inbound
> and outbound means with respect to your client machines is a different
> thing.
>
> Provided that you have no other interfaces the two rules you've
> specified actually both match the same traffic: Packets arriving on
> eth0 and being routed to the subnet on eth1. However, none of those
> rules will match traffic arriving on eth1 (from your clients), heading
> for the external network.
>
> /Oskar
>
>
> 2009/11/8 paddy joesoap <paddyjoesoap@gmail.com>:
>> Dear Experts
>>
>> I am curious to know more about what FORWARD chain inbound and
>> outbound actually mean.
>>
>> Example firewall set-up below:
>>
>> Internet --- Firewall --- PC
>>
>> Firewall has 2 interfaces: eth0 = External and eth1 = Internal
>>
>> From what I can gather from the Netfilter website, all I need to do is
>> create are inbound and outbound rules on the FORWARD chain.
>>
>> To allow inbound Internet access, I specify:
>>
>> FORWARD -i eth0
>>
>> To allow outbound PC access, I specify:
>>
>> FORWARD -o eth1
>>
>> The question is from whose perspective do you view what is inbound and
>> what is outbound?
>>
>> For example, in the case of the Internet client, traffic flowing
>> towards the firewall is indeed Inbound so naturally "FORWARD -i eth0"
>> is required. However, isn't it also Outbound on eth1, given that it
>> leaves interface eth1 to get to PC?
>>
>> Similarly, clients on the internal network think of their traffic as
>> being outbound only, but when traffic is being "forwarded" from eth1
>> to eth0 heading for the Internet, isn't that traffic classed as
>> Inbound on eth0?
>>
>> Do I need to create rules for this scenario also or is Netfilter
>> handling these implied situations?
>>
>> Beginner questions so apologies in advance.
>> Paddy.
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>

Re: Forward Chain: is Inbound traffic on eth0 not also Outbound depending on your view?

[Mart Frauenlob]

paddy joesoap wrote:
> Hi guy's
>
> I was just reading through the links Mart provided to try and get a
> handle on things.
>
> Suppose this is the scenario:
>
> Internet -- Firewall -- Web server where the firewall has eth0 =
> External and eth1 = Internal
>
> My understanding of seeing examples on the web (please correct me if I
> am wrong) is that access to a web server can be permitted as follows:
>
> Scenario 1:
> iptables -A FORWARD -i eth0 -s anyIP --sport anyPort -d webServIP
> --dport 80  -j ACCEPT
> iptables -A FORWARD -o eth1 -s webServIP --sport 80 -d anyIP --dport
> anyPort  -j ACCEPT
>
> I was just wondering must I also include 2 other rules:
>
> Scenario 2:
> iptables -A FORWARD -i eth0 -s anyIP --sport anyPort -d webServIP
> --dport 80  -j ACCEPT // external in on eth0
> iptables -A FORWARD -o eth1 -s anyIP --sport anyPort -d webServIP
> --dport 80  -j ACCEPT // new rule. external out on eth1 toward web
> server
> iptables -A FORWARD -o eth1 -s webServIP --sport 80 -d anyIP --dport
> anyPort  -j ACCEPT
> iptables -A FORWARD -i eth0 -s webServIP --sport 80 -d anyIP --dport
> anyPort  -j ACCEPT // new rule
>
> >From what I can gather of the iptables tutorial, I don't have to worry
> about the 2 new rules. Perhaps they are redundant, in the sense that
> traffic is being filtered in one direction of each interface and
> filtering the same kind of traffic in both directions on each
> interface maybe considered duplication.
>
> But then again what about the default policy of Drop. Would not having
> these two new rules mean http traffic fails? My guess is after traffic
> has been processed (from the netfilter flow diagram Maart sent)
> in one direction it is the automatically routed to the second
> interface without filtering. So the answer is yes, http traffic will
> still get by. Correct?
>
> This now makes me as the question why bother with filtering eth1 at
> all in Scenario 1? Could the rules equally have been written as:
>
> Scenario 3: (note single interface used, filter in both directions on eth0)
> iptables -A FORWARD -i eth0 -s anyIP --sport anyPort -d webServIP
> --dport 80  -j ACCEPT
> iptables -A FORWARD -o eth0 -s webServIP --sport 80 -d anyIP --dport
> anyPort  -j ACCEPT
>
> Again apologies for the obvious stupidity on my part.
>   

As soon a packet matches a rule and the target is terminating, like the 
ACCEPT target is, there is no more filtering on the packet - it is ACCEPTED.
Hence your rules would be redundant.
As i already told you, you can use -i eth0 and -o eth1 for FORWARD 
rules, if you desire/and or need that.

regards

Mart
>
> On Sun, Nov 8, 2009 at 2:21 PM, Oskar Berggren <oskar.berggren@gmail.com> wrote:
>   
>> You seem to be over-thinking in the wrong direction. :)
>>
>> iptables by itself is not concerned with what you as administrator
>> consider "outbound" or "inbound" traffic to/from your "network".
>>
>> -i <interfacename> simply mean: match traffic arriving to this machine
>> on this interface.
>> -o <interfacename> simply mean: match traffic that the routing system
>> says will leave this machine via this interface.
>>
>> These are from the perspective of the firewall itself. What inbound
>> and outbound means with respect to your client machines is a different
>> thing.
>>
>> Provided that you have no other interfaces the two rules you've
>> specified actually both match the same traffic: Packets arriving on
>> eth0 and being routed to the subnet on eth1. However, none of those
>> rules will match traffic arriving on eth1 (from your clients), heading
>> for the external network.
>>
>> /Oskar
>>
>>
>> 2009/11/8 paddy joesoap <paddyjoesoap@gmail.com>:
>>     
>>> Dear Experts
>>>
>>> I am curious to know more about what FORWARD chain inbound and
>>> outbound actually mean.
>>>
>>> Example firewall set-up below:
>>>
>>> Internet --- Firewall --- PC
>>>
>>> Firewall has 2 interfaces: eth0 = External and eth1 = Internal
>>>
>>> From what I can gather from the Netfilter website, all I need to do is
>>> create are inbound and outbound rules on the FORWARD chain.
>>>
>>> To allow inbound Internet access, I specify:
>>>
>>> FORWARD -i eth0
>>>
>>> To allow outbound PC access, I specify:
>>>
>>> FORWARD -o eth1
>>>
>>> The question is from whose perspective do you view what is inbound and
>>> what is outbound?
>>>
>>> For example, in the case of the Internet client, traffic flowing
>>> towards the firewall is indeed Inbound so naturally "FORWARD -i eth0"
>>> is required. However, isn't it also Outbound on eth1, given that it
>>> leaves interface eth1 to get to PC?
>>>
>>> Similarly, clients on the internal network think of their traffic as
>>> being outbound only, but when traffic is being "forwarded" from eth1
>>> to eth0 heading for the Internet, isn't that traffic classed as
>>> Inbound on eth0?
>>>
>>> Do I need to create rules for this scenario also or is Netfilter
>>> handling these implied situations?
>>>
>>> Beginner questions so apologies in advance.
>>> Paddy.
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>
>>>       
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>   

Re: Forward Chain: is Inbound traffic on eth0 not also Outbound depending on your view?

[paddy joesoap]

On Mon, Nov 9, 2009 at 10:00 AM, Mart Frauenlob
<mart.frauenlob@chello.at> wrote:
> paddy joesoap wrote:
>>
>> Hi guy's
>>
>> I was just reading through the links Mart provided to try and get a
>> handle on things.
>>
>> Suppose this is the scenario:
>>
>> Internet -- Firewall -- Web server where the firewall has eth0 =
>> External and eth1 = Internal
>>
>> My understanding of seeing examples on the web (please correct me if I
>> am wrong) is that access to a web server can be permitted as follows:
>>
>> Scenario 1:
>> iptables -A FORWARD -i eth0 -s anyIP --sport anyPort -d webServIP
>> --dport 80  -j ACCEPT
>> iptables -A FORWARD -o eth1 -s webServIP --sport 80 -d anyIP --dport
>> anyPort  -j ACCEPT
>>
>> I was just wondering must I also include 2 other rules:
>>
>> Scenario 2:
>> iptables -A FORWARD -i eth0 -s anyIP --sport anyPort -d webServIP
>> --dport 80  -j ACCEPT // external in on eth0
>> iptables -A FORWARD -o eth1 -s anyIP --sport anyPort -d webServIP
>> --dport 80  -j ACCEPT // new rule. external out on eth1 toward web
>> server
>> iptables -A FORWARD -o eth1 -s webServIP --sport 80 -d anyIP --dport
>> anyPort  -j ACCEPT
>> iptables -A FORWARD -i eth0 -s webServIP --sport 80 -d anyIP --dport
>> anyPort  -j ACCEPT // new rule
>>
>> >From what I can gather of the iptables tutorial, I don't have to worry
>> about the 2 new rules. Perhaps they are redundant, in the sense that
>> traffic is being filtered in one direction of each interface and
>> filtering the same kind of traffic in both directions on each
>> interface maybe considered duplication.
>>
>> But then again what about the default policy of Drop. Would not having
>> these two new rules mean http traffic fails? My guess is after traffic
>> has been processed (from the netfilter flow diagram Maart sent)
>> in one direction it is the automatically routed to the second
>> interface without filtering. So the answer is yes, http traffic will
>> still get by. Correct?
>>
>> This now makes me as the question why bother with filtering eth1 at
>> all in Scenario 1? Could the rules equally have been written as:
>>
>> Scenario 3: (note single interface used, filter in both directions on
>> eth0)
>> iptables -A FORWARD -i eth0 -s anyIP --sport anyPort -d webServIP
>> --dport 80  -j ACCEPT
>> iptables -A FORWARD -o eth0 -s webServIP --sport 80 -d anyIP --dport
>> anyPort  -j ACCEPT
>>
>> Again apologies for the obvious stupidity on my part.
>>
>
> As soon a packet matches a rule and the target is terminating, like the
> ACCEPT target is, there is no more filtering on the packet - it is ACCEPTED.

The above line has switched on the light-bulb.


> Hence your rules would be redundant.
> As i already told you, you can use -i eth0 and -o eth1 for FORWARD rules, if
> you desire/and or need that.
>

Thanks for the insights Mart.