LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   why are FORWARD rules ignored in my iptables scripts (https://www.linuxquestions.org/questions/linux-networking-3/why-are-forward-rules-ignored-in-my-iptables-scripts-4175427966/)

rainbow3 09-19-2012 06:21 AM
why are FORWARD rules ignored in my iptables scripts
 
I have got most of iptables working but for some reason the FORWARD rules are ignored.

For example in this script I get INPUT and OUTPUT log entries but no FORWARD entries.

web="eth0"
lan="wlan0"
echo "Web: $web"
echo "Lan: $lan"
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do echo 1 > $f
done
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

# clear current firewall
iptables -X
iptables -t filter -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# accept loopback
iptables -A INPUT -i lo -j ACCEPT

# for testing
iptables -I FORWARD -j LOG --log-prefix 'forward rules start *******'
iptables -I INPUT -j LOG --log-prefix 'input rules start *******'
iptables -I OUTPUT -j LOG --log-prefix 'output rules start *******'

hamlindsza 09-19-2012 09:32 AM
Hi,

There could be a syntax error in your FORWARD chain rules. Post some of the rules so we can figure out whats wrong.

rainbow3 09-19-2012 12:22 PM
I have not included routing rules for that very reason. The script I have posted should put entries in the log regardless of any routing rules. Indeed the input and output statements do put entries in the log. So why does the forward log statement not put an entry in the log?

I think maybe there is some switch somewhere that I need to flick besides ip_forward.

rainbow3 09-19-2012 03:07 PM
Perhaps it is an issue with the other settings?

I have a windows machine with the proxy set to 192.168.0.6:80

192.168.0.6 is my linux box. I have no server or other software listening on port 80.

192.168.0.1 is my standard router for my wireless network on wlan0. It is also connected via cable to the laptop on eth0

Oh and I have done a iptables -v -x -n -L. This shows zero packets hitting the FORWARD chain.

rainbow3 09-20-2012 05:53 AM
the answer
 
Now I feel dumb but maybe others also misunderstand the difference between a proxy and a gateway so here is an explanation.

DIRECT REQUEST
you request reddit.com/r/politics with no proxy
this has destination=reddit.com path=/r/politics and because it is not on the lan it is routed via the router gateway=192.168.0.1

PROXY REQUEST
you request reddit.com/r/politics and you have set a proxy server 192.168.0.6:80
this has destination=192.168.0.6:80 and path=reddit.com/r/politics
it arrives at 192.168.0.6 as final destination
it is filtered by iptables INPUT rules
the proxy server receives the message "reddit.com/r/politics". It does whatever it is programmed to do. Perhaps issues a new request to reddit/r/politics
the new request is filtered by iptables OUTPUT rules
the response is filtered by iptables INPUT rules
the proxy server sends the response to the client
the message to the client is filtered by iptables OUTPUT rules

USING LINUX BOX AS GATEWAY
you request reddit.com/r/politics with no proxy and the gateway has been set to linux box on 192.168.0.6
this has destination=reddit.com path=/r/politics and because it is not on the lan routes it via the router gateway=192.168.0.6
it is filtered by the FORWARD rules.

So I need to set the gateway address on the client either manually or running a DHCP server on the linux box.


All times are GMT -5. The time now is 09:53 PM.