* RE: FORWARD Chain Question
[not found] <BOEKIIIKCIBKDMDMHHLLEEHFDFAA.gene@poh.com>
@ 2005-12-12 21:46 ` Gene Dellinger
2005-12-13 0:16 ` FORWARD Chain Question (nfcan: addressed to exclusive sender for this address) Jim Laurino
2005-12-13 10:30 ` FORWARD Chain Question Jörg Harmuth
0 siblings, 2 replies; 6+ messages in thread
From: Gene Dellinger @ 2005-12-12 21:46 UTC (permalink / raw)
To: netfilter
To All:
I got some helpful information, thanks to those who responded, I am still a
bit fuzzy though.
A packet coming in ETH0 destined for a system connected to ETH1, will that
packet begin in the PREROUTING
chain on ETH1(sample 1) and then out or go to the FORWARD chain(sample 2)
and then out.
ETH0:PREROUTING---->FORWARD---->POSTROUTING---->OUT
| | |
INPUT | OUTPUT
| \|/ |
Local Process | Local Process
|
----<---<-----|
|
\|/
ETH1:PREROUTING---->FORWARD---->POSTROUTING---->OUT
| |
INPUT OUTPUT
| |
Local Process Local Process
sample 1
_________________________________________________________
ETH0:PREROUTING---->FORWARD---->POSTROUTING---->OUT
| | |
INPUT | OUTPUT
| \|/ |
Local Process | Local Process
|
|
|
\|/
ETH1:PREROUTING---->FORWARD---->POSTROUTING---->OUT
| |
INPUT OUTPUT
| |
Local Process Local Process
sample 2
_________________________________________________________
Thanks Again
Gene D.
-----Original Message-----
From: Gene Dellinger [mailto:gene@poh.com]
Sent: Friday, December 09, 2005 2:40 PM
To: netfilter@lists.netfilter.org
Subject: FORWARD Chain Question
On a multi-homed machine being used as a firewall, if
a packet is forward'd from one interface to another.
Does the packet enter the in at PRE-ROUTING portion of iptables
chain again for that interface? It may seem obvious but
I just want to make sure I am clear on that aspect of the
chain traversal.
Thanks
Gene D.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: FORWARD Chain Question (nfcan: addressed to exclusive sender for this address)
2005-12-12 21:46 ` FORWARD Chain Question Gene Dellinger
@ 2005-12-13 0:16 ` Jim Laurino
2005-12-13 10:30 ` FORWARD Chain Question Jörg Harmuth
1 sibling, 0 replies; 6+ messages in thread
From: Jim Laurino @ 2005-12-13 0:16 UTC (permalink / raw)
To: netfilter
On 2005.12.12 16:46, Gene Dellinger - gene@poh.com wrote:
> To All:
> I got some helpful information, thanks to those who responded, I am still a
> bit fuzzy though.
> A packet coming in ETH0 destined for a system connected to ETH1, will that
> packet begin in the PREROUTING
> chain on ETH1(sample 1) and then out or go to the FORWARD chain(sample 2)
> and then out.
Neither example matches the structure of netfilter.
There is only one each of prerouting, forward, postrouting.
There is not one chain per interface.
If you need to specify the interface in a rule,
you must use the -i and -o fields in that rule.
One or the other of these fields may not be useable in some chains.
>
> ETH0:PREROUTING---->FORWARD---->POSTROUTING---->OUT
> | | |
> INPUT | OUTPUT
> | \|/ |
> Local Process | Local Process
> |
> ----<---<-----|
> |
> \|/
> ETH1:PREROUTING---->FORWARD---->POSTROUTING---->OUT
> | |
> INPUT OUTPUT
> | |
> Local Process Local Process
>
> sample 1
> _________________________________________________________
>
> ETH0:PREROUTING---->FORWARD---->POSTROUTING---->OUT
> | | |
> INPUT | OUTPUT
> | \|/ |
> Local Process | Local Process
> |
> |
> |
> \|/
> ETH1:PREROUTING---->FORWARD---->POSTROUTING---->OUT
> | |
> INPUT OUTPUT
> | |
> Local Process Local Process
>
> sample 2
> _________________________________________________________
>
>
> Thanks Again
> Gene D.
>
>
> -----Original Message-----
> From: Gene Dellinger [mailto:gene@poh.com]
> Sent: Friday, December 09, 2005 2:40 PM
> To: netfilter@lists.netfilter.org
> Subject: FORWARD Chain Question
>
>
> On a multi-homed machine being used as a firewall, if
> a packet is forward'd from one interface to another.
> Does the packet enter the in at PRE-ROUTING portion of iptables
> chain again for that interface? It may seem obvious but
> I just want to make sure I am clear on that aspect of the
> chain traversal.
>
> Thanks
> Gene D.
>
>
>
--
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: FORWARD Chain Question
2005-12-12 21:46 ` FORWARD Chain Question Gene Dellinger
2005-12-13 0:16 ` FORWARD Chain Question (nfcan: addressed to exclusive sender for this address) Jim Laurino
@ 2005-12-13 10:30 ` Jörg Harmuth
2005-12-13 19:21 ` Gene Dellinger
1 sibling, 1 reply; 6+ messages in thread
From: Jörg Harmuth @ 2005-12-13 10:30 UTC (permalink / raw)
To: netfilter
Gene Dellinger schrieb:
> To All:
> I got some helpful information, thanks to those who responded, I am still a
> bit fuzzy though.
> A packet coming in ETH0 destined for a system connected to ETH1, will that
> packet begin in the PREROUTING
> chain on ETH1(sample 1) and then out or go to the FORWARD chain(sample 2)
> and then out.
>
> ETH0:PREROUTING---->FORWARD---->POSTROUTING---->OUT
> | | |
> INPUT | OUTPUT
> | \|/ |
> Local Process | Local Process
As Jim already said, chain traversal isn't bound to interfaces by
itself, but you can write rules that are related to a certain interface.
If you take this picture (stolen from you and a little bit modified):
IN-->PREROUTING---->FORWARD---->POSTROUTING---->OUT
| |
INPUT OUTPUT
| |
+------->Local Process------->+
then you have a simplified picture of what's going on (amongst others,
nat and mangle table are missing and the optional raw table as well).
Packets go through the above picture regardless of the interface (unless
as Jim also said, you specify -i or -o).
HTH,
Joerg
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: FORWARD Chain Question
2005-12-13 10:30 ` FORWARD Chain Question Jörg Harmuth
@ 2005-12-13 19:21 ` Gene Dellinger
0 siblings, 0 replies; 6+ messages in thread
From: Gene Dellinger @ 2005-12-13 19:21 UTC (permalink / raw)
To: Jörg Harmuth, netfilter
Thanks to all,
All the information provided cleared things up for me.
Gene D.
-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of Jörg Harmuth
Sent: Tuesday, December 13, 2005 12:31 AM
To: netfilter@lists.netfilter.org
Subject: Re: FORWARD Chain Question
Gene Dellinger schrieb:
> To All:
> I got some helpful information, thanks to those who responded, I am still
a
> bit fuzzy though.
> A packet coming in ETH0 destined for a system connected to ETH1, will that
> packet begin in the PREROUTING
> chain on ETH1(sample 1) and then out or go to the FORWARD chain(sample 2)
> and then out.
>
> ETH0:PREROUTING---->FORWARD---->POSTROUTING---->OUT
> | | |
> INPUT | OUTPUT
> | \|/ |
> Local Process | Local Process
As Jim already said, chain traversal isn't bound to interfaces by
itself, but you can write rules that are related to a certain interface.
If you take this picture (stolen from you and a little bit modified):
IN-->PREROUTING---->FORWARD---->POSTROUTING---->OUT
| |
INPUT OUTPUT
| |
+------->Local Process------->+
then you have a simplified picture of what's going on (amongst others,
nat and mangle table are missing and the optional raw table as well).
Packets go through the above picture regardless of the interface (unless
as Jim also said, you specify -i or -o).
HTH,
Joerg
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: FORWARD Chain Question
2005-12-10 0:40 Gene Dellinger
@ 2005-12-10 8:15 ` Georgi Alexandrov
0 siblings, 0 replies; 6+ messages in thread
From: Georgi Alexandrov @ 2005-12-10 8:15 UTC (permalink / raw)
To: netfilter
Gene Dellinger wrote:
>On a multi-homed machine being used as a firewall, if
>a packet is forward'd from one interface to another.
>Does the packet enter the in at PRE-ROUTING portion of iptables
>chain again for that interface? It may seem obvious but
>I just want to make sure I am clear on that aspect of the
>chain traversal.
>
>Thanks
>Gene D.
>
>
>
>
Actually yes, the first chain that it hits is the PREROUTING chain of
the mangle table.
ref:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TRAVERSINGOFTABLES
regards,
Georgi Alexandrov
^ permalink raw reply [flat|nested] 6+ messages in thread
* FORWARD Chain Question
@ 2005-12-10 0:40 Gene Dellinger
2005-12-10 8:15 ` Georgi Alexandrov
0 siblings, 1 reply; 6+ messages in thread
From: Gene Dellinger @ 2005-12-10 0:40 UTC (permalink / raw)
To: netfilter
On a multi-homed machine being used as a firewall, if
a packet is forward'd from one interface to another.
Does the packet enter the in at PRE-ROUTING portion of iptables
chain again for that interface? It may seem obvious but
I just want to make sure I am clear on that aspect of the
chain traversal.
Thanks
Gene D.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2005-12-13 19:21 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <BOEKIIIKCIBKDMDMHHLLEEHFDFAA.gene@poh.com>
2005-12-12 21:46 ` FORWARD Chain Question Gene Dellinger
2005-12-13 0:16 ` FORWARD Chain Question (nfcan: addressed to exclusive sender for this address) Jim Laurino
2005-12-13 10:30 ` FORWARD Chain Question Jörg Harmuth
2005-12-13 19:21 ` Gene Dellinger
2005-12-10 0:40 Gene Dellinger
2005-12-10 8:15 ` Georgi Alexandrov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.