Re: netfilter machine in between 2 servers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Anthony,
    Great explanation. It seems like what you're saying is *if * I did want to keep track of whatever's going on (i.e. LOG http packets)  using iptables I would need to make sure the client and server are part of 2 different nets, correct? So...the 3rd machine would neet to route and filter.
 
   Otherwise how hard would it be to go into the code and make iptables recognize broadcast packets ala ethereal? From reading the docs, it seems like it wouldn't be possible, because the furtherest "up" that netfilter can go is to the "PREROUTING" hook.
 
 
Thanks,
S


Antony Stone <Antony@xxxxxxxxxxxxxxxxxxxx> wrote:
On Sunday 14 March 2004 9:28 am, Sandy C wrote:

>> So I have the following rule on the third machine:
> iptables -A INPUT -p 80 -j LOG
>
> meaning just log all http requests. It doesn't work, but if I have this
> rule on either the client or the server, it works as expected.

Indeed. The INPUT chain is for packets addressed to the machine with the
rule running on it - so therefore it works as expected if you put the rule on
the client or server, because they are actually sending and receiving
packets.

It doesn't work if you look for packets in the INPUT chain of a machine which
simply happens to be running ethereal (or tcpdump, or any other sniffer),
because those packets are not addressed to the machine itself, and therefore
never make they way up the TCP/IP stack and enter netfilter. Packet
sniffers grab the packets much closer to the interface than this, and will
see stuff which netfilter does not.

> I get the feeling I'm missing something very basic. Can anyone help?

You should think of netfilter as an add-on to Linux's routing capabilties.
Normal routing allows a machine to pass packets between interfaces.
Netfilter allows those packets to be blocked, or logged, or redirected to
another address. If you are not routing packets through a machine, and it
is not one of the endpoints taking part in the communication, then you cannot
filter them with netfilter.

Your setup is not routing packet through machine 3 because client and server
are on the same subnet, happily talking to each other directly, without any
need to route through something else. If you were using a switch instead of
a hub, machine 3 wouldn't even see the packets in the first place using
ethereal :)

Hope this helps,

Antony.

Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux