В Вто, 09/02/2010 в 15:23 +0000, paddy joesoap пишет:
> On Tue, Feb 9, 2010 at 1:25 PM, Richard Horton <arimus.uk@xxxxxxxxxxxxxx> wrote:
> > On 9 February 2010 13:17, paddy joesoap <paddyjoesoap@xxxxxxxxx> wrote:
> >> Hi All,
> >>
> >> How should one interpret the inbound ("-i") and outbound ("-o") of the
> >> FORWARD chain.
> >>
> >
> >
> > -i refers to the interface the packet is received on.
> > -o refers to the interface the packet is routed out on.
> >
> >
>
> Does this mean that both versions below are equivalent or at least do
> the same job?
Not at all.
> (1)
>
> iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT
This rule will match packets sent from "client" to a webServIP.
> iptables -A FORWARD -o eth1 -p tcp -s webServIP -j ACCEPT
Considering that webServIP located in network connected to eth1, this
rule will not match because packets sent out to eth1 cannot have
webServIP as source address.
> Because a packet will enter eth0 for internal network and a packet
> will leave eth1 (pushed towards eth0).
>
> (2)
>
> iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT
This rule will match packets sent from "client" to a webServIP.
> iptables -A FORWARD -o eth0 -p tcp -s webServIP -j ACCEPT
This rule will match packets sent from webServIP to "client".
> Because a packet will enter eth0 to be forwarded internally and a
> packet will also enter eth0 when leaving the network.
When packet enters and leaves one interface (eth0) it isn't actually a
routing.
Considering that webServIP located in network connected to eth1 and
clients talking to the server located in network connected to eth0 you
can use those rules:
iptables -A FORWARD -i eth0 -p tcp -d webServIP -j ACCEPT
iptables -A FORWARD -o eth1 -p tcp -d webServIP -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp -d webServIP -j ACCEPT
Those 3 rules will do the same job each, you can use either of them.
They will match packets sent from "clients" to "server".
iptables -A FORWARD -i eth1 -p tcp -s webServIP -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp -s webServIP -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp -s webServIP -j ACCEPT
This 3 rules will do the same job each, you can use either of them. They
will match packets sent from "servers" to "clients".
As you probaly already know each connection of client to server sends
packets in both direction regardless of what you are doing, downloading
or uploading.
For example if you want to only allow web traffic (port 80) from
"clients" for "server" you would have to use rules like this:
iptables -A FORWARD -i eth0 -o eth1 -d webServIP -p tcp --dport 80 -j
ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -s webServIP -p tcp --sport 80 -j
ACCEPT
--
Покотиленко Костик <casper@xxxxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
