Re: Firewall on router question

To: Lars Schimmer <l.schimmer@cgv.tugraz.at>
Cc: debian-firewall@lists.debian.org
Subject: Re: Firewall on router question
From: Nathan Barham <nathan@sleepygeek.com>
Date: Mon, 19 Sep 2005 07:39:20 -0700
Message-id: <[🔎] 432ECD98.2080104@sleepygeek.com>
In-reply-to: <[🔎] 432E839C.8040708@cgv.tugraz.at>
References: <[🔎] 432E839C.8040708@cgv.tugraz.at>

Lars Schimmer wrote:
> Hi!
> 
> I've got some questions for understanding.
> First I used ipchains on a router for a subnet. Easy going, ipchains
> INPUT deny and allow for all IPs in the subnet worked great.
> And the script was followed from top to bottom, e.g. first rule was
> served first.
> 
> Now I setup a router with iptables, so I needed to use iptable FORWARD.
> One big change: I need to setup 2 rules, one from outside to inside,
> second form inside to outside, to use the net like I did with ipchains.
> Second: could it be, that the forward target isn't followed top to
> bottom in the script?

I'm not totally clear on what you are trying to accomplish, but there is
a key difference between ipchains and iptables that you might be getting
stuck on.

In ipchains, all the incoming and outgoing packets traversed the INPUT
or OUTPUT chains, *even* the packets that were being forwarded.

In iptables, forwarded packets *only* travese the FORWARD chain, and
never go through the INPUT or OUTPUT chains.

So, this means:

A. The only traffic that traverses the INPUT chain is traffic that is
incoming to the local box.

B. The only traffic that traverses the OUTPUT chain is traffic outgoing
from the local box.

C.  The only traffic that traverses the FORWARD chain is traffic that is
just passing through, i.e. that comes from, and is headed to somewhere
other than the local box.  Note that the FORWARD chain is the only chain
where traffic can be either incoming or outgoing, and you need to use -o
instead of -i for outgoing.  Note also that on a router the FORWARD
chain is where most of your rules end up.

It's much simpler really, but it threw me when I switched from ipchains
to iptables.

> E.G. I've got 2 rules for dnetc in the top of the script, which allows
> port 2046 access to all PCs in our subnet.

If you mean that you want the router to allow all incoming port 2046
traffic to pass through to the local subnet then it would be something
like this, one rule for each direction:

iptables -A FORWARD -i $EXT_IF -o $LAN_IF -p tcp --dport 2046 -j ACCEPT
iptables -A FORWARD -i $LAN_IF -o $EXT_IF -p tcp --dport 2046 -j ACCEPT

> Later on I deny all access to one special PC. But on that PC I can't
> update the distributed.net buffers at all...

I have no idea what you mean here.

Hope that helps.

Reply to:

References:
- Firewall on router question
  - From: Lars Schimmer <l.schimmer@cgv.tugraz.at>

Prev by Date: Re[1]: Приглашение - Английский Разговорный с преподавателями из С Ш А Stoller
Next by Date: Re: open ports with iptables
Previous by thread: Firewall on router question
Next by thread: Re[1]: Приглашение - Английский Разговорный с преподавателями из С Ш А Stoller
Index(es):
- Date
- Thread