firewalling...

Ian Molton imolton at clara.net
Sun Oct 7 13:27:06 PDT 2001


On stardate Sun, 7 Oct 2001 22:15:50 +0200
Daniel began the full scale invasion of earth with the following words:

> 
> a great many questions :)
> 
> Ian Molton <imolton at clara.net> wrote:
> > Ok. what happens to packets that get natted?

> There are three tables: filter, nat, mangle.
> There are multiple built-in chains in each table.
> filter: INPUT, OUTPUT, FORWARD
> nat: PREROUTING, POSTROUTING, OUTPUT
> mangle: PREROUTING, OUTPUT
> 
> this is a more accurate diagram:
> 
>    --->PRE------>[ROUTE]--->FWD---[ROUTE]----->POST------>
>        mangle       |      filter    ^         nat
>        nat          |                |
>                     |                |
>                     v                |
>                     IN filter       OUT mangle
>                     |                ^  nat
>                     |                |  filter
>                     v                |
> 
> 
> You want to use the mangle table for packet mangling, the nat
> table for masquerading, DNAT/SNAT, and the filter table for
> allowing/dropping stuff.

Ok, So one last question...

how do packets enter the tables? When a packet comes in, is it presented to
the mangle tables prerouting chain, and then, failing a match, to the nat
tables prerouting chain?

if so, then I think things are beginning to fall into place.

also, doesnt the nat table have a MASQUERADE chain? where does this figure
in the above diagram?
    
> if you specify no table, then "-t filter" is assumed. The above
> flushes the filter table only.

Ooh. nasty little gotcha.

> >> > $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j
> MASQUERADE
> >> > echo "1" > /proc/sys/net/ipv4/ip_forward
> 
> > The above seems to work, but why can I not do non-passive FTP
> > from behind the firewall?
> 
> hmm may have several reasons. either you don't let RELATED
> connections in, or you haven't got the FTP connection tracking
> module loaded of compiled into the kernel.

Right.

> You should read up on source routing. Source routing is an IP
> option. It allows to "route" an IP packet through a list of
> gateway addresses.
 
> The above list of reserved address ranges has nothing to do with
> source routing. It is just the list of all those addresses which
> are not routed through the Internet. Which means that anything
> coming from them is bogus.

Right. Im with you on that now.
 
> >> echo "2" > /proc/sys/net/ipv4/conf/eth0/rp_filter
> 
> > would this foul things up for people with two (or more) uplinks?
 
> Exactly, but only with weird setups where packets come in from one
> and leave through the other uplink. And there are some issues with
> advanced routing if you activate it (iproute2).

right.
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list