Re: Opening :80 through a NATing iptables firewall.

To: debian-firewall@lists.debian.org
Subject: Re: Opening :80 through a NATing iptables firewall.
From: "James B. Wilkinson" <jimmy@CS.cofc.EDU>
Date: Mon, 1 Oct 2001 21:14:51 -0400
Message-id: <a05100305b7deb58cb834@[153.9.17.27]>
In-reply-to: <20010929235006.A20269@doorstop.net>
References: <3BB4EF2F.2060002@ncmec.org> <Pine.OSF.4.30.0109291100220.16844-100000@student.uq.edu.au> <20010929235006.A20269@doorstop.net>

This looks like my chance to ask a couple of questions that I've beenharboring for a while.



Vineet sez:

No, that's how it was for ipchains, but not under the 2.4 series
kernel's netfilter system. It looks kinda like this:

PREROUTING                OUTPUT-------------+
    |                                        |
    v                                        v
(routing decision)------->FORWARD------->(routing decision)--+
|                                            |               |
|                                            |               v
+->INPUT<------------------------------------+           POSTROUTING


               ^^^^^^^^^^^^^^^^^^^^

Should this connection be here? Can a packet really get into INPUTfrom the right side? It can't come through FORWARD; I guess it cancome from OUTPUT. If that's the case, then maybe it shouldn't passthrough the same routing decision as one from FORWARD. Should it lookmore like this? Oh, I just noticed. Does it really go through *two*routing decisions if it's in the FORWARD path? maybe that second oneshouldn't be there.







   Incoming
       |
       |
       v
   PREROUTING
       |
       v
(routing decision)------->FORWARD------->(routing decision)--------------+
      |                                                                  |
      |                                                                  |
      v                                                                  v
    INPUT<--------------------(routing decision)------------------->POSTROUTING
      |                              ^                                   |
      |                              |                                   |
      |                              |                                   |
      |                            OUTPUT                                |
      |                              ^                                   |
      v                              |                                   v
Local Process x              Local Process y                         Outgoing


The second question is ----->  what is the effect of a rule like this:

iptables -A OUTPUT -out-interface eth0 blah blah blah

How can it know what the output interface is going to be before it'sbeen through the routing decision? Have I got OUTPUT and its routingdecision in the wrong order? I guess in that case I'd still need thebranch point between INPUT and POSTROUTING. Is it maybe the case that"routing decision" and "branch in this diagram based on a routingdecision" are separate concepts? This is complex!!



Thanks, guys, I'm not a kernel hacker.
--

-------------------------------------------------------------
Jimmy Wilkinson            | Perfesser of Computer Science
jimmy@cs.CofC.edu          | The College of Charleston
(843) 953-8160             | Charleston      SC        29424

If there is one word to describe me,
that word would have to be "profectionist".
Any form of incompitence is an athema to me.
Metathesis??? Don't ax me.

Reply to:

Next by Date: NetMeeting
Next by thread: NetMeeting
Index(es):
- Date
- Thread