Re: Cannot go out the firewall from internal network (NAT)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Marco Nicoloso írta:


1) POSTROUTING chain is processed after the FORWARD chain, isn't it?

Yes

But do I really need the FORWARD chain? If yes, do I need to setup my
rules for filtering the packets coming from my LAN which I want to
pass through the firewall (using a DROP policy) in the FORWARD or just
in the INPUT chain, or in both of them?

In the FORWARD chain you filter the packets passing througth the firewall...
In the INPUT chain you filter the packets sent to your firewall... (For example to a DNS server that sits on your firewalling machine...) 
http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.html



2) Which is the right place for the NATting rules in my script? That
is, NAT rules must be placed before or after PF rules (for me after,
but as NAT controls different chains because `nat' is a different
table... maybe it's the same)
There are chains (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING) and tables (-t raw, -t mangle, -t nat, -t filter <-(default) ) 
http://www.faqs.org/docs/iptables/traversingoftables.html
NAT rules ARE placed before (PREROUTING) and after (POSTROUTING) PF rules...
Take a look on what you have already done with these commands:

iptables -vnL -t nat
iptables -vnL
iptables -vnL -t mangle


3) Someone can verify the following sentence if I understood
correctly: "Packet coming from any network connected to the firewall
enters the chain INPUT: 
The correct route:

mangle PREROUTING
nat PREROUTING

[Routing decision]

mangle INPUT
filter INPUT

[Local process]


rules are processed from the first in order to
the end, 
yes

if a suiting rule for it is found, then the faith of the
packet depends only on that rule;

yes

if not packet is either dropped or
accepted, depending on the general policy of the chain

yes

Rules that you may think about (What I prefer :D ):
- The chain policy should be always ACCEPT except in the filter tables...
- DROP-ing or REJECT-ing should me always done in the filter tables...
- Using user-defined chains makes the iptables run faster...

Also take a look on my script.... :)

https://lists.netfilter.org/pipermail/netfilter/2006-August/066404.html

Swifty
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux