iptables and chains
Hi guys,
I'm trying to understand how iptables woks. Now a friend made me a little "course" but in reality now i have even more doubts :o.. Given a scenario of a machine that acts as a firewall and gateway on a LAN. Eth0 will be the netcard that goes to internet and eth1 the netcard that is on the LAN (for now I give up NAT). First, is correct what i write below realted to the three chains?? The FORWARD chain concerns packets traversing the firewall but that are directed to other hosts (for example, from the Internet to the clients on the LAN and vice versa) THE INPUT chain concers packets that are directed to the firewall and can come from both the LAN and the Internet THE OUTPUT chain concerns the packets generated by the firewall and that are sent out to the LAN or to Internet ... between the commands that my friend wrote in the firewall there is the following iptables-A INPUT-i eth1-s 0/0-d 0/0 ACCEPT Now for what I had understood the INPUT chain refers to packets going to the firewall, and if I understand the rule is written it says "do pass all incoming packets from the LAN with any source address (0/0) and for any destination (-d 0/0.) But if theINPUT chain is related to the packet with destination the Firewall machine what sense have put any destination in this rule? I could understand this rule in the FORWARD CHAIN ........ but in the INPUT..... : :o other: with this line echo 1> / proc/sys/net/ipv4/ip_forward I enable forwarding between the two netcards, then it makes sense to add these two rules below: iptables-A FORWARD -i eth1 -o eth0 -j ACCEPT iptables-A FORWARD -i eth0 -o eth1 -j ACCEPT Evidently there is something obuscured for me .... Can you help me to figure out where I'm wrong? |
Code:
iptables-A INPUT-i eth1-s 0/0-d 0/0 ACCEPT Code:
iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT Quote:
Quote:
|
ok
related to the rule PHP Code:
a packet frome the LAN go into the INPUT CHAIN only if the Destination Address is the Address of the eth1 netcard??? is wrong that? so for what i thought the packed with destination address 127.0.0.0/8 or 192.168.0.255 or 255.255.255.255 didn't belong to the INPUT CHAIN..... What are the packet the really can belong to the input chain?? a packet to have access from the internet to the LAN needs to match one singles rule.....or more? |
Quote:
Quote:
|
All times are GMT -5. The time now is 06:28 AM. |