Re: Forward Chain: is Inbound traffic on eth0 not also Outbound depending on your view?

[paddy joesoap <paddyjoesoap@gmail.com>]

On Mon, Nov 9, 2009 at 10:00 AM, Mart Frauenlob
<mart.frauenlob@chello.at> wrote:
> paddy joesoap wrote:
>>
>> Hi guy's
>>
>> I was just reading through the links Mart provided to try and get a
>> handle on things.
>>
>> Suppose this is the scenario:
>>
>> Internet -- Firewall -- Web server where the firewall has eth0 =
>> External and eth1 = Internal
>>
>> My understanding of seeing examples on the web (please correct me if I
>> am wrong) is that access to a web server can be permitted as follows:
>>
>> Scenario 1:
>> iptables -A FORWARD -i eth0 -s anyIP --sport anyPort -d webServIP
>> --dport 80  -j ACCEPT
>> iptables -A FORWARD -o eth1 -s webServIP --sport 80 -d anyIP --dport
>> anyPort  -j ACCEPT
>>
>> I was just wondering must I also include 2 other rules:
>>
>> Scenario 2:
>> iptables -A FORWARD -i eth0 -s anyIP --sport anyPort -d webServIP
>> --dport 80  -j ACCEPT // external in on eth0
>> iptables -A FORWARD -o eth1 -s anyIP --sport anyPort -d webServIP
>> --dport 80  -j ACCEPT // new rule. external out on eth1 toward web
>> server
>> iptables -A FORWARD -o eth1 -s webServIP --sport 80 -d anyIP --dport
>> anyPort  -j ACCEPT
>> iptables -A FORWARD -i eth0 -s webServIP --sport 80 -d anyIP --dport
>> anyPort  -j ACCEPT // new rule
>>
>> >From what I can gather of the iptables tutorial, I don't have to worry
>> about the 2 new rules. Perhaps they are redundant, in the sense that
>> traffic is being filtered in one direction of each interface and
>> filtering the same kind of traffic in both directions on each
>> interface maybe considered duplication.
>>
>> But then again what about the default policy of Drop. Would not having
>> these two new rules mean http traffic fails? My guess is after traffic
>> has been processed (from the netfilter flow diagram Maart sent)
>> in one direction it is the automatically routed to the second
>> interface without filtering. So the answer is yes, http traffic will
>> still get by. Correct?
>>
>> This now makes me as the question why bother with filtering eth1 at
>> all in Scenario 1? Could the rules equally have been written as:
>>
>> Scenario 3: (note single interface used, filter in both directions on
>> eth0)
>> iptables -A FORWARD -i eth0 -s anyIP --sport anyPort -d webServIP
>> --dport 80  -j ACCEPT
>> iptables -A FORWARD -o eth0 -s webServIP --sport 80 -d anyIP --dport
>> anyPort  -j ACCEPT
>>
>> Again apologies for the obvious stupidity on my part.
>>
>
> As soon a packet matches a rule and the target is terminating, like the
> ACCEPT target is, there is no more filtering on the packet - it is ACCEPTED.

The above line has switched on the light-bulb.


> Hence your rules would be redundant.
> As i already told you, you can use -i eth0 and -o eth1 for FORWARD rules, if
> you desire/and or need that.
>

Thanks for the insights Mart.