Re: default policies for the NAT chains

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

	Let me explain how my firewall rules work -- it most likely will help in the answer to my question.

When the firewall starts it sets up some basic target and a large amount of user chains.

I have 24 chains -- ok not that many

Here are the following chains (not all):

tablerule-ext : this is a chain rule setup the filters incoming packets regardless of destination, here I weed out any unwanted packets or connections. Any matching packets are logged then drop.

tablerule-extpri : this chain is only for packets destination to the heartbeat address. Here only heartbeat packets are matched and everything else dropped.

tablerule-extVIP : I have one chain for every virtual IP, depending on the destination IP of the packet. will depend on what chain it is forwarded to.

So the main filter table has rules that most forward packets to other chains.

Any example is if a packet wants to come in, go out or be forwarded for 172.16.15.56:
1. It goes to the tablerule-ext and checked to make sure the packet is in good standing (TCP flags, port range, from - to ...) if accept it is returned

2. Then it goes to the tablerule-56 chain where it is either dropped or accept depending on the traffic I want for the .56 address.

This way I can easily administer any IP address with out affecting any other connection. Since almost everything is chain based I have flush and change chain rules for block them very easily.

So do I still need to have a default policy for the NAT table chains ?

Michael.


On Tue, 2 Dec 2003 18:03:02 -0700
Michael Gale <mgale@xxxxxxxxxxxxx> wrote:

> Hello,
> 
> 	Ok -- I had my firewall working perfectly with a default policy in affect:
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> 
> It was also working great for the 22 virtual IP addresses.
> 
> I then though about the NAT chains (PREROUTING,OUTPUT and POSTROUTING) and figured they should have a default policy as well.
> 
> I added that to the list and not I can not start a out going connection from the firewall.
> 
> So my question is do I need default policies for the NAT chains ? If so it would seem like I need some rules added twice ? 
> 
> Any suggestions would be appreciated :)
> 
> -- 
> Michael Gale
> Network Administrator
> Utilitran Corporation
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux