Re: questions about chain traversal, new ascii diagram

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Curby . schrieb: 
Hi, I'm in the process of building a three-interface firewall and I have
some questions about how the different chains see NAT packets and
locally-generated packets.

Firstly, if I just do filtering in the INPUT/OUTPUT chains, NAT-ed
packets will not traverse those chains, so I figure I should probably
put similar filtering rules in the FORWARD chain? (For example, I'd like
to be able to block all my internal users from accessing certain sites,
or block incoming traffic sent by bad hosts from being port-forwarded to
internal servers).

If I was trying to block incoming traffic from bad hosts, why not simply
put the filters in the PREROUTING chain instead of both INPUT and
FORWARD?  Is it because the nat table is intended for just nat and doing
filtering there would be ugly, or would it actually fail to work?

I read in http://davidcoulson.net/writing/lxf/14/iptables.pdf (on the
netfilter.org documentation page) that nat's OUTPUT chain performs DNAT
on outgoing packets originating from the server, and POSTROUTING
performs SNAT on outgoing packets passing through the firewall from
other hosts.  If I have two Internet-facing IPs and would like to SNAT
locally-generated traffic to one or the other, it would appear that
iptables wouldn't let me do that very easily, right?  What is the
purpose of nat's OUTPUT chain (in other words, when would I want to DNAT
locally-generated traffic)?

In what order does locally-generated traffic traverse the OUTPUT chains
of filter and nat tables?

Lastly, aside from those issues, is the diagram below a reasonable
representation?  The only diagrams I found on chain traversal dealt with
the nat and filter tables separately, but I'm hoping that it's possible
to show them together.  (I hope hotmail doesn't completely destroy this
ascii hehe).

# -->n.PREROUT-->routing decision-->f.FORWARD-->n.POSTROUT--,-->
#                       |                     ,-------------^
#                       v                     |
#                     f.INPUT              f.OUTPUT, n.OUTPUT
#                       |                     ^
#                       `--->local process----'

Thanks!

--curby


http://joerg.fruehbrodt.bei.t-online.de/pics/abb3_netfilter_ablaufdiagramm.jpg

What about the mangle decisions, do you also want to include them :D?

--

PGP-ID 0xF8EAF138

Attachment: signature.asc
Description: OpenPGP digital signature

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux