On Mon, Nov 9, 2009 at 10:00 AM, Mart Frauenlob <mart.frauenlob@xxxxxxxxx> wrote: > paddy joesoap wrote: >> >> Hi guy's >> >> I was just reading through the links Mart provided to try and get a >> handle on things. >> >> Suppose this is the scenario: >> >> Internet -- Firewall -- Web server where the firewall has eth0 = >> External and eth1 = Internal >> >> My understanding of seeing examples on the web (please correct me if I >> am wrong) is that access to a web server can be permitted as follows: >> >> Scenario 1: >> iptables -A FORWARD -i eth0 -s anyIP --sport anyPort -d webServIP >> --dport 80 -j ACCEPT >> iptables -A FORWARD -o eth1 -s webServIP --sport 80 -d anyIP --dport >> anyPort -j ACCEPT >> >> I was just wondering must I also include 2 other rules: >> >> Scenario 2: >> iptables -A FORWARD -i eth0 -s anyIP --sport anyPort -d webServIP >> --dport 80 -j ACCEPT // external in on eth0 >> iptables -A FORWARD -o eth1 -s anyIP --sport anyPort -d webServIP >> --dport 80 -j ACCEPT // new rule. external out on eth1 toward web >> server >> iptables -A FORWARD -o eth1 -s webServIP --sport 80 -d anyIP --dport >> anyPort -j ACCEPT >> iptables -A FORWARD -i eth0 -s webServIP --sport 80 -d anyIP --dport >> anyPort -j ACCEPT // new rule >> >> >From what I can gather of the iptables tutorial, I don't have to worry >> about the 2 new rules. Perhaps they are redundant, in the sense that >> traffic is being filtered in one direction of each interface and >> filtering the same kind of traffic in both directions on each >> interface maybe considered duplication. >> >> But then again what about the default policy of Drop. Would not having >> these two new rules mean http traffic fails? My guess is after traffic >> has been processed (from the netfilter flow diagram Maart sent) >> in one direction it is the automatically routed to the second >> interface without filtering. So the answer is yes, http traffic will >> still get by. Correct? >> >> This now makes me as the question why bother with filtering eth1 at >> all in Scenario 1? Could the rules equally have been written as: >> >> Scenario 3: (note single interface used, filter in both directions on >> eth0) >> iptables -A FORWARD -i eth0 -s anyIP --sport anyPort -d webServIP >> --dport 80 -j ACCEPT >> iptables -A FORWARD -o eth0 -s webServIP --sport 80 -d anyIP --dport >> anyPort -j ACCEPT >> >> Again apologies for the obvious stupidity on my part. >> > > As soon a packet matches a rule and the target is terminating, like the > ACCEPT target is, there is no more filtering on the packet - it is ACCEPTED. The above line has switched on the light-bulb. > Hence your rules would be redundant. > As i already told you, you can use -i eth0 and -o eth1 for FORWARD rules, if > you desire/and or need that. > Thanks for the insights Mart. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html