* RE: FORWARD Chain Question [not found] <BOEKIIIKCIBKDMDMHHLLEEHFDFAA.gene@poh.com> @ 2005-12-12 21:46 ` Gene Dellinger 2005-12-13 0:16 ` FORWARD Chain Question (nfcan: addressed to exclusive sender for this address) Jim Laurino 2005-12-13 10:30 ` FORWARD Chain Question Jörg Harmuth 0 siblings, 2 replies; 4+ messages in thread From: Gene Dellinger @ 2005-12-12 21:46 UTC (permalink / raw) To: netfilter To All: I got some helpful information, thanks to those who responded, I am still a bit fuzzy though. A packet coming in ETH0 destined for a system connected to ETH1, will that packet begin in the PREROUTING chain on ETH1(sample 1) and then out or go to the FORWARD chain(sample 2) and then out. ETH0:PREROUTING---->FORWARD---->POSTROUTING---->OUT | | | INPUT | OUTPUT | \|/ | Local Process | Local Process | ----<---<-----| | \|/ ETH1:PREROUTING---->FORWARD---->POSTROUTING---->OUT | | INPUT OUTPUT | | Local Process Local Process sample 1 _________________________________________________________ ETH0:PREROUTING---->FORWARD---->POSTROUTING---->OUT | | | INPUT | OUTPUT | \|/ | Local Process | Local Process | | | \|/ ETH1:PREROUTING---->FORWARD---->POSTROUTING---->OUT | | INPUT OUTPUT | | Local Process Local Process sample 2 _________________________________________________________ Thanks Again Gene D. -----Original Message----- From: Gene Dellinger [mailto:gene@poh.com] Sent: Friday, December 09, 2005 2:40 PM To: netfilter@lists.netfilter.org Subject: FORWARD Chain Question On a multi-homed machine being used as a firewall, if a packet is forward'd from one interface to another. Does the packet enter the in at PRE-ROUTING portion of iptables chain again for that interface? It may seem obvious but I just want to make sure I am clear on that aspect of the chain traversal. Thanks Gene D. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: FORWARD Chain Question (nfcan: addressed to exclusive sender for this address) 2005-12-12 21:46 ` FORWARD Chain Question Gene Dellinger @ 2005-12-13 0:16 ` Jim Laurino 2005-12-13 10:30 ` FORWARD Chain Question Jörg Harmuth 1 sibling, 0 replies; 4+ messages in thread From: Jim Laurino @ 2005-12-13 0:16 UTC (permalink / raw) To: netfilter On 2005.12.12 16:46, Gene Dellinger - gene@poh.com wrote: > To All: > I got some helpful information, thanks to those who responded, I am still a > bit fuzzy though. > A packet coming in ETH0 destined for a system connected to ETH1, will that > packet begin in the PREROUTING > chain on ETH1(sample 1) and then out or go to the FORWARD chain(sample 2) > and then out. Neither example matches the structure of netfilter. There is only one each of prerouting, forward, postrouting. There is not one chain per interface. If you need to specify the interface in a rule, you must use the -i and -o fields in that rule. One or the other of these fields may not be useable in some chains. > > ETH0:PREROUTING---->FORWARD---->POSTROUTING---->OUT > | | | > INPUT | OUTPUT > | \|/ | > Local Process | Local Process > | > ----<---<-----| > | > \|/ > ETH1:PREROUTING---->FORWARD---->POSTROUTING---->OUT > | | > INPUT OUTPUT > | | > Local Process Local Process > > sample 1 > _________________________________________________________ > > ETH0:PREROUTING---->FORWARD---->POSTROUTING---->OUT > | | | > INPUT | OUTPUT > | \|/ | > Local Process | Local Process > | > | > | > \|/ > ETH1:PREROUTING---->FORWARD---->POSTROUTING---->OUT > | | > INPUT OUTPUT > | | > Local Process Local Process > > sample 2 > _________________________________________________________ > > > Thanks Again > Gene D. > > > -----Original Message----- > From: Gene Dellinger [mailto:gene@poh.com] > Sent: Friday, December 09, 2005 2:40 PM > To: netfilter@lists.netfilter.org > Subject: FORWARD Chain Question > > > On a multi-homed machine being used as a firewall, if > a packet is forward'd from one interface to another. > Does the packet enter the in at PRE-ROUTING portion of iptables > chain again for that interface? It may seem obvious but > I just want to make sure I am clear on that aspect of the > chain traversal. > > Thanks > Gene D. > > > -- Jim Laurino nfcan.x.jimlaur@dfgh.net Please reply to the list. Only mail from the listserver reaches this address. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: FORWARD Chain Question 2005-12-12 21:46 ` FORWARD Chain Question Gene Dellinger 2005-12-13 0:16 ` FORWARD Chain Question (nfcan: addressed to exclusive sender for this address) Jim Laurino @ 2005-12-13 10:30 ` Jörg Harmuth 2005-12-13 19:21 ` Gene Dellinger 1 sibling, 1 reply; 4+ messages in thread From: Jörg Harmuth @ 2005-12-13 10:30 UTC (permalink / raw) To: netfilter Gene Dellinger schrieb: > To All: > I got some helpful information, thanks to those who responded, I am still a > bit fuzzy though. > A packet coming in ETH0 destined for a system connected to ETH1, will that > packet begin in the PREROUTING > chain on ETH1(sample 1) and then out or go to the FORWARD chain(sample 2) > and then out. > > ETH0:PREROUTING---->FORWARD---->POSTROUTING---->OUT > | | | > INPUT | OUTPUT > | \|/ | > Local Process | Local Process As Jim already said, chain traversal isn't bound to interfaces by itself, but you can write rules that are related to a certain interface. If you take this picture (stolen from you and a little bit modified): IN-->PREROUTING---->FORWARD---->POSTROUTING---->OUT | | INPUT OUTPUT | | +------->Local Process------->+ then you have a simplified picture of what's going on (amongst others, nat and mangle table are missing and the optional raw table as well). Packets go through the above picture regardless of the interface (unless as Jim also said, you specify -i or -o). HTH, Joerg ^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: FORWARD Chain Question 2005-12-13 10:30 ` FORWARD Chain Question Jörg Harmuth @ 2005-12-13 19:21 ` Gene Dellinger 0 siblings, 0 replies; 4+ messages in thread From: Gene Dellinger @ 2005-12-13 19:21 UTC (permalink / raw) To: Jörg Harmuth, netfilter Thanks to all, All the information provided cleared things up for me. Gene D. -----Original Message----- From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of Jörg Harmuth Sent: Tuesday, December 13, 2005 12:31 AM To: netfilter@lists.netfilter.org Subject: Re: FORWARD Chain Question Gene Dellinger schrieb: > To All: > I got some helpful information, thanks to those who responded, I am still a > bit fuzzy though. > A packet coming in ETH0 destined for a system connected to ETH1, will that > packet begin in the PREROUTING > chain on ETH1(sample 1) and then out or go to the FORWARD chain(sample 2) > and then out. > > ETH0:PREROUTING---->FORWARD---->POSTROUTING---->OUT > | | | > INPUT | OUTPUT > | \|/ | > Local Process | Local Process As Jim already said, chain traversal isn't bound to interfaces by itself, but you can write rules that are related to a certain interface. If you take this picture (stolen from you and a little bit modified): IN-->PREROUTING---->FORWARD---->POSTROUTING---->OUT | | INPUT OUTPUT | | +------->Local Process------->+ then you have a simplified picture of what's going on (amongst others, nat and mangle table are missing and the optional raw table as well). Packets go through the above picture regardless of the interface (unless as Jim also said, you specify -i or -o). HTH, Joerg ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-12-13 19:21 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <BOEKIIIKCIBKDMDMHHLLEEHFDFAA.gene@poh.com>
2005-12-12 21:46 ` FORWARD Chain Question Gene Dellinger
2005-12-13 0:16 ` FORWARD Chain Question (nfcan: addressed to exclusive sender for this address) Jim Laurino
2005-12-13 10:30 ` FORWARD Chain Question Jörg Harmuth
2005-12-13 19:21 ` Gene Dellinger
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.