Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Question RE IPTables

0 views
Skip to first unread message

Alex Samad

unread,
Mar 9, 2002, 4:48:16 PM3/9/02
to
If I have a machine with 3 NIC's Internet, DMZ, Local LAN.

If a packet is entering the Internet NIC src from somewhere on the Internet,
destined for the address of the DMZ nic, does the packets follow the FORWARD
chain and then the INPUT chain, or is it just the FORWARD or just the INPUT
chain.


Alex


Moth

unread,
Mar 9, 2002, 5:55:39 PM3/9/02
to
That assumes you've loaded all of the modules otherwise it is just Forward

--
/**
* @author Moth
* @param http://users.bigpond.net.au/LinuxRouter
* @return rcod...@SPAMbigpond.net.au
*/
"Moth" <rcod...@SPAMbigpond.net.au> wrote in message
news:gpwi8.2784$mp.1...@news-server.bigpond.net.au...
> PREROUTING -> FORWARD -> POSTROUTING
>
> --
> /**
> * @author Moth
> * @param http://users.bigpond.net.au/LinuxRouter
> * @return rcod...@SPAMbigpond.net.au
> */
> "Alex Samad" <asa...@bigpond.net.auNOSPAM> wrote in message
> news:Aqvi8.2598$mp.1...@news-server.bigpond.net.au...

Moth

unread,
Mar 9, 2002, 5:55:08 PM3/9/02
to
PREROUTING -> FORWARD -> POSTROUTING

--
/**
* @author Moth
* @param http://users.bigpond.net.au/LinuxRouter
* @return rcod...@SPAMbigpond.net.au
*/
"Alex Samad" <asa...@bigpond.net.auNOSPAM> wrote in message
news:Aqvi8.2598$mp.1...@news-server.bigpond.net.au...

JASON

unread,
Mar 9, 2002, 6:49:27 PM3/9/02
to
Could you list what all the modules which should be installed?

Jason

Alex Samad

unread,
Mar 9, 2002, 8:18:46 PM3/9/02
to
This is true even if it is entering the box, but via a different NIC?

So if I explicitly disallowed all access to the DMZ nic as in default rule
for the INPUT was drop, but had default policy for FORWARD as accept, I
could create a connection from the internet side.

Is this a black spot ?

Alex

"Moth" <rcod...@SPAMbigpond.net.au> wrote in message
news:gpwi8.2784$mp.1...@news-server.bigpond.net.au...

Alex Samad

unread,
Mar 10, 2002, 12:46:42 AM3/10/02
to
Okay I have checked this

A - Internet nic
B - DMZ nic
C - local LAN nic

I have pinged from a node on the networked attached to C through to the ip
address of B.

It doesn't show on the packet count of any of the tables apart from
PREROUTING, is this the right behaviour ?

Alex

"Moth" <rcod...@SPAMbigpond.net.au> wrote in message
news:gpwi8.2784$mp.1...@news-server.bigpond.net.au...

Moth

unread,
Mar 10, 2002, 6:03:57 AM3/10/02
to
Should have shown up in FORWARD.

--
/**
* @author Moth
* @param http://users.bigpond.net.au/LinuxRouter
* @return rcod...@SPAMbigpond.net.au
*/
"Alex Samad" <asa...@bigpond.net.auNOSPAM> wrote in message
news:6rCi8.3657$mp.1...@news-server.bigpond.net.au...

Moth

unread,
Mar 10, 2002, 6:02:49 AM3/10/02
to
Unless you did otherwise most of the ones you would want for iptables should
already be running. The only extras are ip_conntrack_ftp and ip_nat_ftp off
the top of my head.

--
/**
* @author Moth
* @param http://users.bigpond.net.au/LinuxRouter
* @return rcod...@SPAMbigpond.net.au
*/

"JASON" <iexp...@ozemail.com.au> wrote in message
news:3c8a9fbd...@news-server.bigpond.net.au...

Moth

unread,
Mar 10, 2002, 6:06:39 AM3/10/02
to
If you are running DMZ with public ip then you should not have the default
policy for FORWARD set to ACCEPT. You should set it to either DROP or
REJECT and then only allow those ports that you want.

--
/**
* @author Moth
* @param http://users.bigpond.net.au/LinuxRouter
* @return rcod...@SPAMbigpond.net.au
*/
"Alex Samad" <asa...@bigpond.net.auNOSPAM> wrote in message

news:Wvyi8.3044$mp.1...@news-server.bigpond.net.au...

Alex Samad

unread,
Mar 11, 2002, 1:20:19 AM3/11/02
to
Yeah that's what I am doing, but they are not showing up in the forward
(strange), just prerouting and input. So I have taken the necessary steps,
just incase.

A


"Moth" <rcod...@SPAMbigpond.net.au> wrote in message

news:37Hi8.4797$mp.1...@news-server.bigpond.net.au...

Dougal Holmes

unread,
Mar 12, 2002, 6:58:54 AM3/12/02
to
I could be wrong, but from my reading of the IPTables doco, if the
packet is destined for one of the interfaces on the Linux box, then it
traverses the prerouting and then the input chain, regardless of what
interface it is. Packets only traverse the forward chain when they are
being forwarded OUT another interface (virtual or physical), in which
case they do not traverse the input and/or output chain.

This is different to ipchains, and the author specifically mentions it
in the readme's, saying he has finally corrected a design 'error' in
ipchains.

So what you are seeing is correct for packets destined for your DMZ
interface IP. Packets to other DMZ hosts would appear in the forward
chain.
--
Dougal Holmes (at home)
mailto:dho...@bigpond.net.au

"Alex Samad" <asa...@bigpond.net.auNOSPAM> wrote in message

news:D0Yi8.6475$mp.2...@news-server.bigpond.net.au...

Alex Samad

unread,
Mar 12, 2002, 4:48:45 PM3/12/02
to
Thanxs,

that is what I was seeing

"Dougal Holmes" <dho...@bigpond.net.au> wrote in message
news:24mj8.10139$mp.4...@news-server.bigpond.net.au...

0 new messages