Re: FORWARD chain and Interfaces

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, 2011-05-21 at 00:10 -0600, netfilter@xxxxxxxxxxxxxx wrote:
> I have a firewall router box that I'm trying to write a ruleset for that
> accepts/blocks traffic from Network A to Network B.  I'm testing the
> rules on 3 virtual machines and will eventually deploy to production
> hardware:
> 
> Network A Machine Eth0 <-------> Eth0 Firewall/Router Eth1 <------->
> Eth0Network B Machine
>               192.168.99.1                192.168.99.2           
>               10.10.10.1       10.10.10.2
> 
> 
> I have the the following rules on the Firewall/Router as a test before I
> write rules with http, ssh etc:
> 
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i eth0 -o eth1 -p icmp --icmp-type echo-request -s
> 192.168.99.0/24 -d 10.10.10.0/24 -m state --state NEW -j ACCEPT
> iptables -A FORWARD -p icmp --icmp-type echo-request -m state --state
> NEW -j LOG --log-prefix "ICMP: "
> 
> When I ping from 192.168.99.1 to 10.10.10.2 it does not work.  The log
> rule logs the packet as IN=ETH1 OUT=ETH1.  I may not understand how the
> interfaces should be referenced in the FORWARD chain, but I would think
> that the second rule above should allow and forward that icmp traffic.  
> 
> However, if I remove the -i eth0 and -o eth1 from the second rule above
> the ping works fine, the log of course still says  IN=ETH1 OUT=ETH1.  
> 
> I guess I don't have to reference the interfaces in all my FORWARD
> rules, but I'd like to.  I am confused why the -i and -o referenced in
> the second rule does not allow and forward traffic. And you the log rule
> log the packets as IN=ETH1 and OUT=ETH1, I would expect IN=ETH0
> OUT=ETH1.

My only thought on this is that the virtual machines are affecting your
interface names. Have you tried any other rules with interface names to
see if you get the same effect?

I expect that if you did the same with separate hardware, that the rules
would work as expected; therefore, I suggest testing without the
interface names, and inserting them when you have the actual hardware up
and running.

Andy


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux