FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux General Discussion

 
 
LinkBack Thread Tools
 
Old 08-25-2012, 04:47 PM
Juan Diego Tascón
 
Default iptables forward policy

Good day,

I'm currently configuring a router. I'm setting the default policies
to DROP in the INPUT OUTPUT AND FORWARD chains. I'm thinking of
setting the default FORWARD policy to ACCEPT as my default INPUT
policy is DROP and unless there is a valid FORWARD rule for a given
port the packets wont go anywhere. I'm I right on this? or could
someone deliberately setup a packet to be forwarded from my router to
my lan? all I could find on google was one similar question with no
answer

Thanks
 
Old 08-25-2012, 05:56 PM
Corrado Primier
 
Default iptables forward policy

2012/8/25 Juan Diego Tascón <juantascon@gmail.com>:
> Good day,

Hello

> I'm thinking of
> setting the default FORWARD policy to ACCEPT as my default INPUT
> policy is DROP and unless there is a valid FORWARD rule for a given
> port the packets wont go anywhere. I'm I right on this?

You're wrong. Either a packet goes through the INPUT chain or it goes
through the FORWARD chain, depending on its destination. Take a look
at this packet flow diagram:
http://www.linuxhomenetworking.com/wiki/images/f/f0/Iptables.gif

Corrado
 
Old 08-25-2012, 05:56 PM
Damjan
 
Default iptables forward policy

On 25.08.2012 18:47, Juan Diego TascĂ³n wrote:

Good day,

I'm currently configuring a router. I'm setting the default policies
to DROP in the INPUT OUTPUT AND FORWARD chains. I'm thinking of
setting the default FORWARD policy to ACCEPT as my default INPUT
policy is DROP and unless there is a valid FORWARD rule for a given
port the packets wont go anywhere. I'm I right on this? or could
someone deliberately setup a packet to be forwarded from my router to
my lan? all I could find on google was one similar question with no
answer


FORWARD and INPUT are completely different.
INPUT is for packets that are in the end are destined for the host (i.e.
routed to the host).


FORWARD is for packets, that are only forwarded by the host, the packets
will not go through the INPUT chain.



In a normal routed network this depends on the destination IP of the
packet, but if you DNAT the packets in the PREROUTING chain of the nat
table the destination IP will change.



--
Đ´Đ°Đ¼Ñ˜Đ°Đ½
 
Old 08-26-2012, 05:11 PM
Juan Diego Tascón
 
Default iptables forward policy

Thanks for both replies. The graphic does it a lot more
understandable. Is there any way to debug iptables, I mean, like a
tool where I can visualize the path of a packet and where exactly it
gets dropped/accepted and also realtime packets headers (src, dst,
proto, dport, sport, etc)?

On Sat, Aug 25, 2012 at 12:56 PM, Corrado Primier <ilbardo@gmail.com> wrote:
> 2012/8/25 Juan Diego Tascón <juantascon@gmail.com>:
>> Good day,
>
> Hello
>
>> I'm thinking of
>> setting the default FORWARD policy to ACCEPT as my default INPUT
>> policy is DROP and unless there is a valid FORWARD rule for a given
>> port the packets wont go anywhere. I'm I right on this?
>
> You're wrong. Either a packet goes through the INPUT chain or it goes
> through the FORWARD chain, depending on its destination. Take a look
> at this packet flow diagram:
> http://www.linuxhomenetworking.com/wiki/images/f/f0/Iptables.gif
>
> Corrado
 
Old 08-26-2012, 05:16 PM
Bastian Beischer
 
Default iptables forward policy

Dear Juan,

see the section on logging in the wiki:

https://wiki.archlinux.org/index.php/Iptables#Logging

Cheers
Bastian

On Sun, Aug 26, 2012 at 7:11 PM, Juan Diego Tascón <juantascon@gmail.com> wrote:
> Thanks for both replies. The graphic does it a lot more
> understandable. Is there any way to debug iptables, I mean, like a
> tool where I can visualize the path of a packet and where exactly it
> gets dropped/accepted and also realtime packets headers (src, dst,
> proto, dport, sport, etc)?
>
> On Sat, Aug 25, 2012 at 12:56 PM, Corrado Primier <ilbardo@gmail.com> wrote:
>> 2012/8/25 Juan Diego Tascón <juantascon@gmail.com>:
>>> Good day,
>>
>> Hello
>>
>>> I'm thinking of
>>> setting the default FORWARD policy to ACCEPT as my default INPUT
>>> policy is DROP and unless there is a valid FORWARD rule for a given
>>> port the packets wont go anywhere. I'm I right on this?
>>
>> You're wrong. Either a packet goes through the INPUT chain or it goes
>> through the FORWARD chain, depending on its destination. Take a look
>> at this packet flow diagram:
>> http://www.linuxhomenetworking.com/wiki/images/f/f0/Iptables.gif
>>
>> Corrado



--
Bastian Beischer
RWTH Aachen University of Technology

@CERN
Office: Bdg 32-4-B12
Phone: +41-22-76-75750
E-mail: bastian.beischer@cern.ch
Address: CERN, CH-1211 Geneve 23

@RWTH Aachen
Office: 28 C 203
Phone: +49-241-80-27205
E-mail: beischer@physik.rwth-aachen.de
Address: I. Physikalisches Institut B, Sommerfeldstr. 14, D-52074 Aachen
 
Old 08-26-2012, 06:08 PM
Peter Baldridge
 
Default iptables forward policy

On Sun, Aug 26, 2012 at 10:11 AM, Juan Diego Tascón <juantascon@gmail.com>wrote:

> Is there any way to debug iptables, Juan,


Another good way to debug IPTables (if you can limit the traffic to the box
to just what you are troubleshooting) use the command :

sudo iptables -Z && sudo watch -n .5 iptables -nvL

^zeros the counters for iptables

this will serve to show packet counters next to all your rules. Then you
can send the traffic you are troubleshooting and see which rule it is
matching. From a different window or screen you can add/drop rules and
watch the counters in real time. That has always helped me in tough
IPtables setups since it's a little more realtime/less info than logging.

-pete
 
Old 08-28-2012, 08:08 PM
Juan Diego Tascón
 
Default iptables forward policy

Thanks all for your help

I finally decided to go with a more simple port forwarding solution
using socat a tool to forward tcp conections. This way I can filter
forwarded ports by using the router's INPUT chain.

Cheers

On Sun, Aug 26, 2012 at 1:08 PM, Peter Baldridge
<petebaldridge@gmail.com> wrote:
> On Sun, Aug 26, 2012 at 10:11 AM, Juan Diego Tascón <juantascon@gmail.com>wrote:
>
>> Is there any way to debug iptables, Juan,
>
>
> Another good way to debug IPTables (if you can limit the traffic to the box
> to just what you are troubleshooting) use the command :
>
> sudo iptables -Z && sudo watch -n .5 iptables -nvL
>
> ^zeros the counters for iptables
>
> this will serve to show packet counters next to all your rules. Then you
> can send the traffic you are troubleshooting and see which rule it is
> matching. From a different window or screen you can add/drop rules and
> watch the counters in real time. That has always helped me in tough
> IPtables setups since it's a little more realtime/less info than logging.
>
> -pete
 

Thread Tools




All times are GMT. The time now is 01:56 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org