All of lore.kernel.org
 help / color / mirror / Atom feed
* FORWARD Chain Question
@ 2005-12-10  0:40 Gene Dellinger
  2005-12-10  8:15 ` Georgi Alexandrov
  0 siblings, 1 reply; 5+ messages in thread
From: Gene Dellinger @ 2005-12-10  0:40 UTC (permalink / raw)
  To: netfilter

On a multi-homed machine being used as a firewall, if
a packet is forward'd from one interface to another.
Does the packet enter the in at PRE-ROUTING portion of iptables
chain again for that interface? It may seem obvious but
I just want to make sure I am clear on that aspect of the
chain traversal.

Thanks
Gene D.


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: FORWARD Chain Question
  2005-12-10  0:40 FORWARD Chain Question Gene Dellinger
@ 2005-12-10  8:15 ` Georgi Alexandrov
  0 siblings, 0 replies; 5+ messages in thread
From: Georgi Alexandrov @ 2005-12-10  8:15 UTC (permalink / raw)
  To: netfilter

Gene Dellinger wrote:

>On a multi-homed machine being used as a firewall, if
>a packet is forward'd from one interface to another.
>Does the packet enter the in at PRE-ROUTING portion of iptables
>chain again for that interface? It may seem obvious but
>I just want to make sure I am clear on that aspect of the
>chain traversal.
>
>Thanks
>Gene D.
>
>
>  
>
Actually yes, the first chain that it hits is the PREROUTING chain of 
the mangle table.

ref: 
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TRAVERSINGOFTABLES


regards,
Georgi Alexandrov


^ permalink raw reply	[flat|nested] 5+ messages in thread
* RE: FORWARD Chain Question
  2005-12-13 10:30   ` Jörg Harmuth
@ 2005-12-13 19:21     ` Gene Dellinger
  0 siblings, 0 replies; 5+ messages in thread
From: Gene Dellinger @ 2005-12-13 19:21 UTC (permalink / raw)
  To: Jörg Harmuth, netfilter

Thanks to all,
All the information provided cleared things up for me.


Gene D.

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of Jörg Harmuth
Sent: Tuesday, December 13, 2005 12:31 AM
To: netfilter@lists.netfilter.org
Subject: Re: FORWARD Chain Question


Gene Dellinger schrieb:
> To All:
> I got some helpful information, thanks to those who responded, I am still
a
> bit fuzzy though.
> A packet coming in ETH0 destined for a system connected to ETH1, will that
> packet begin in the PREROUTING
> chain on ETH1(sample 1) and then out or go to the FORWARD chain(sample 2)
> and then out.
>
> ETH0:PREROUTING---->FORWARD---->POSTROUTING---->OUT
>          |	           |            |
>        INPUT  	     |         OUTPUT
>          |	          \|/	      |
>       Local Process    |         Local Process

As Jim already said, chain traversal isn't bound to interfaces by
itself, but you can write rules that are related to a certain interface.
If you take this picture (stolen from you and a little bit modified):

   IN-->PREROUTING---->FORWARD---->POSTROUTING---->OUT
          |	                        |
        INPUT  	                      OUTPUT
          |                             |
          +------->Local Process------->+

then you have a simplified picture of what's going on (amongst others,
nat and mangle table are missing and the optional raw table as well).
Packets go through the above picture regardless of the interface (unless
as Jim also said, you specify -i or -o).

HTH,

Joerg



^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: FORWARD Chain Question
  2005-12-12 21:46 ` Gene Dellinger
@ 2005-12-13 10:30   ` Jörg Harmuth
  2005-12-13 19:21     ` Gene Dellinger
  0 siblings, 1 reply; 5+ messages in thread
From: Jörg Harmuth @ 2005-12-13 10:30 UTC (permalink / raw)
  To: netfilter

Gene Dellinger schrieb:
> To All:
> I got some helpful information, thanks to those who responded, I am still a
> bit fuzzy though.
> A packet coming in ETH0 destined for a system connected to ETH1, will that
> packet begin in the PREROUTING
> chain on ETH1(sample 1) and then out or go to the FORWARD chain(sample 2)
> and then out.
> 
> ETH0:PREROUTING---->FORWARD---->POSTROUTING---->OUT
>          |	           |            |
>        INPUT  	     |         OUTPUT
>          |	          \|/	      |
>       Local Process    |         Local Process

As Jim already said, chain traversal isn't bound to interfaces by
itself, but you can write rules that are related to a certain interface.
If you take this picture (stolen from you and a little bit modified):

   IN-->PREROUTING---->FORWARD---->POSTROUTING---->OUT
          |	                        |
        INPUT  	                      OUTPUT
          |                             |
          +------->Local Process------->+

then you have a simplified picture of what's going on (amongst others,
nat and mangle table are missing and the optional raw table as well).
Packets go through the above picture regardless of the interface (unless
as Jim also said, you specify -i or -o).

HTH,

Joerg


^ permalink raw reply	[flat|nested] 5+ messages in thread
* RE: FORWARD Chain Question
       [not found] <BOEKIIIKCIBKDMDMHHLLEEHFDFAA.gene@poh.com>
@ 2005-12-12 21:46 ` Gene Dellinger
  2005-12-13 10:30   ` Jörg Harmuth
  0 siblings, 1 reply; 5+ messages in thread
From: Gene Dellinger @ 2005-12-12 21:46 UTC (permalink / raw)
  To: netfilter

To All:
I got some helpful information, thanks to those who responded, I am still a
bit fuzzy though.
A packet coming in ETH0 destined for a system connected to ETH1, will that
packet begin in the PREROUTING
chain on ETH1(sample 1) and then out or go to the FORWARD chain(sample 2)
and then out.

ETH0:PREROUTING---->FORWARD---->POSTROUTING---->OUT
         |	           |            |
       INPUT  	     |         OUTPUT
         |	          \|/	      |
      Local Process    |         Local Process
		           |
	   ----<---<-----|
	   |
        \|/
ETH1:PREROUTING---->FORWARD---->POSTROUTING---->OUT
         |			            |
       INPUT  		          OUTPUT
         |			            |
      Local Process		   Local Process

sample 1
_________________________________________________________

ETH0:PREROUTING---->FORWARD---->POSTROUTING---->OUT
         |	           |            |
       INPUT  	     |  	   OUTPUT
         |	          \|/	      |
     Local Process     |         Local Process
		           |
		           |
		           |
		          \|/
ETH1:PREROUTING---->FORWARD---->POSTROUTING---->OUT
         |			            |
       INPUT  		          OUTPUT
         |			            |
     Local Process		 Local Process

sample 2
_________________________________________________________


Thanks Again
Gene D.


-----Original Message-----
From: Gene Dellinger [mailto:gene@poh.com]
Sent: Friday, December 09, 2005 2:40 PM
To: netfilter@lists.netfilter.org
Subject: FORWARD Chain Question


On a multi-homed machine being used as a firewall, if
a packet is forward'd from one interface to another.
Does the packet enter the in at PRE-ROUTING portion of iptables
chain again for that interface? It may seem obvious but
I just want to make sure I am clear on that aspect of the
chain traversal.

Thanks
Gene D.


^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2005-12-13 19:21 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2005-12-10  0:40 FORWARD Chain Question Gene Dellinger
2005-12-10  8:15 ` Georgi Alexandrov
     [not found] <BOEKIIIKCIBKDMDMHHLLEEHFDFAA.gene@poh.com>
2005-12-12 21:46 ` Gene Dellinger
2005-12-13 10:30   ` Jörg Harmuth
2005-12-13 19:21     ` Gene Dellinger

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.