Aigh! Upon re-reading, I must add that the linuxvirtualserver.org link is not appropriate in this answer. Sorry for my confusion--please ignore the Joseph.Mack LVS-HOWTO link for the purposes of this answer. Apologies, -Martin : Kjell, : : Let me try a slightly different tack.....one of the fundamental : differences between ipchains and iptables is identified and explored in : varying depths here: : : http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-10.html : http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO.netfilter_hooks.html : : [ Apparently, I wrote a similar statement about ipchains vs. iptables in : July of last year...the beauty of a bad memory is that I can learn : things anew by re-reading things I once knew! ] : : http://lists.insecure.org/lists/firewall-wizards/2002/Jul/0228.html : : In ipchains, each incoming packet hit input, forward and output chains, : which only filtered packets (OK, OK, and masqueraded). : : In iptables, every incoming packet traverses the PREROUTING chains in the : conntrack (implicit), mangle and nat tables. In the PREROUTING chains, : you have access to --in-interface (-i) $RECEIVE_IF. In the PREROUTING : chain, an output interface makes no sense, because we have no idea about : where the packet is going! : : Now that the PREROUTING chain has been passed, we'll route! After : routing, (and assuming the packet is bound for a non-local destination), : the packet will enter the FORWARD chain. Now, we know both --in-interface : $RECEIVE_IF and --out-interface (-o) $TRANSMIT_IF, so both options can be : used. : : POSTROUTING is just about the last thing before the packet is handed off : to the much misunderstood traffic control system. And in this : chain, you'll see nalogous behaviour...the --in-interface option is not : available. : : Does that answer your question? : : -Martin : : : > > For a packet that is not for local host, : : > > but comes in on one interface and goes : : > > out on another; : : (1) : : > > Will that packet traverse PREROTING, FORWARD and POSTROUTING : : > > on _both_ underface, or : : (2) : : > > will that packet traverse PREROTING, FORWARD and POSTROUTING : : > > only once, where PREROTING is when a packet "is in" the incoming : : > > physical interface, and is in FORWARD and POSTROUTING when : : > > the packet "is in" the outgoing interfave? : : > > : : > Maybe this can help : : : > http://www.docum.org/stef.coene/qos/kptd/ : : : : No. It would help if you told me what is right. : : The figure I got from before, and really don't : : rule out number one. : : : : : : _______________________________________________ : : LARTC mailing list / LARTC@xxxxxxxxxxxxxxx : : http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ : : : : -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx
