Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm ready a rather long HOWTO about iptables, but I am still left with questions...
Here is my situation: I have a small private network (192.168.1.0/24) being masqueraded behind my iptables firewall. I want to have my linux machine (which is running iptables) to host a few servers, though (http, ftp, ssh, etc).
Now, reading that HOWTO it says that when a packet is incoming there is a point at which a decision is made about whether or not the packet is destined for a local process or if it is destined for a host on another network and should be forwarded. How is this decision made in a masquerading situation? Every computer in my apartment shares the same IP address. If the incoming packet is an ESTABLISHED connection, then I understand how the firewall knows where to send it. However, if it's a SYN packet (NEW connection), then how is it handled? I have certain servers running on my machine that are only answering to requests from my internal network, but the default policy on my INPUT chain is ACCEPT. If I read correctly, the INPUT chain handles all incoming packets that are handled by local processes. Where are the packets that are coming from the internet getting caught up at?
So, basically I'm asking how to have packets on certain ports be handled by the local machine rather than being forwarded.
Well... I'm not sure if this answers your question directly but understanding the packet flow may help.
When a packet enters an IPTABLES firewall the packet first traverses the mangle table. The mangle table is rarely used. After the mangle table has been cleared, the packet enters the NAT table where PREROUTING is handled (Destination or Source ip addresses or ports can be changed here). Once it gets to this point, the packet must now be routed. The choice is...
A) Into the firewall machine (INPUT table)
-or-
B) Passed the firewall machine (FORWARD table)
a packet will NEVER traverse both.
If the INPUT table is chosen an action must be taken... dropped, accepted etc.
If the FORWARD table is chosen, the packet then traverses the the NAT table again for post routing and then I *think* it hits a final mange postrouting table but I'm not sure on that one. Typically the fate of these packets is controlled by the FORWARD table vs. NAT or MANGLE.
.... uh .... here is an excerpt from one of my previous threads
Quote:
When using IPTABLES, a packet enters our computer and iptables must decide what to do with it - imagine a workflow diagram... first, it goes through our rarely used mangle table (left as an exercise for the reader) and then it hits our NAT prerouting table... here, we have the option of changing the source or destination of where this packet is headed. For instance, if the packet was originally intended for your firewall but you want it redirected to an internal web server, you can change the destination here. (Masquerading is a special form of this). Ok... after our NAT table has got the destination all set up, we have a choice - if the packet is destined for THIS machine, it gets shoved over to the INPUT table. Otherwise, it gets put into the FORWARD table. *ah* So forwarding is just directing traffic! (Yes, astute reader, you'll now see the difference between forwarding and masquerading here). Finally, the NAT postrouting table is consulted. Ultimately, the INPUT or FORWARD table decide the fate of each packet. Similarly, the OUTPUT chain is used by packets leaving the firewall only; packets from the forward table never touch the OUTPUT table.
so... uh... what was your question? I lost track in all my rambling.
Normally (when nothing special is configured), every packet coming from outside (internet device) goes through the PREROUTING chain and then checks if the ip address is an address of the box. If so, it passes the package to INPUT chain, else it goes to the FORWARD chain (see illustrating picture).
If the box is configured to do masquerading, there is an implicit rule to route established connections to FORWAD chain to the correct originator of the connection.
What comes to new connections from outside, masquerading has no effect on the behaviour of them by default. So, every new connection established to the box from outside, is handled by the box itself (filtered in the INPUT chain). If you want to alter this behaviour (like let some other machine work as a http server to the world), you can do it in PREROUTING table. Something like this:
Code:
IF_INET="Your net interface, (something like eth1)"
webserver="ip-address of your webserver (something like 192.168.1.27)"
iptables --table nat --append PREROUTING --in-interface $IF_INET -p tcp --destination-port www --jump DNAT --to-destination $webserver:80
iptables --append FORWARD -p tcp --destination $webserver --destination-port 80 --jump ACCEPT
The first rule here is a nat rule that explicitly alters the routing decision to adjust packages being addressed to the $webserver instead if the package is coming from the internet interface, is tcp package and the destination port of the original package happens to be 80. Now the package is sent to the forward chain. The second rule is a filter rule allowing the package in question to be forwarded.
I think you two helped a lot. So, what I'm getting out of this is that in my situation if my INPUT chain's policy is ACCEPT, then if I have a process listening for the correct port on the correct interface, it should be answering correctly? Thus, if I set up apache to listen to eth0 on port 80, the iptables should be set up correctly already as long my INPUT chain will accept the packet (through default policy or an explicit rule)?
Yes, that is correct. Thus, having a INPUT chain having just accept policy means that there is no firewall between, which could be considered somewhat risky in these days.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
