Re: Purpose of self-referential rule

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Monday 24 February 2003 11:06 am, Kelly Setzer wrote:
> I've been experimenting with gShield trying to learn the ins and outs
> of iptables.  One of the rules is generates is:
>
> iptables -A INPUT -s 192.168.6.0/24 -d 192.168.6.0/24 -i eth1 -j
> ACCEPT
>
> The source and dest are correct for my internal network, and eth1 is
> the internal net.  My question is, when would the firewall ever see a
> packet that could possible match this?  Any packet with a source and
> destination on the same network would send the packet directly (no
> routing, thus no firewall).
>
> What am I missing?

What's the IP of eth1?  This is the INPUT chain, so it's for traffic 
targeted at the firewall box itself.  Having a destIP listed with a /24 
is a little odd, though, unless you are DHCP assigned IP or some such 
where it won't know the IP when the rule is generated, or it may change.

j

> thanks,
> Kelly




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux