why are FORWARD rules ignored in my iptables scripts
I have got most of iptables working but for some reason the FORWARD rules are ignored.
For example in this script I get INPUT and OUTPUT log entries but no FORWARD entries. web="eth0" lan="wlan0" echo "Web: $web" echo "Lan: $lan" echo 1 > /proc/sys/net/ipv4/ip_forward for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done echo 1 > /proc/sys/net/ipv4/ip_dynaddr # clear current firewall iptables -X iptables -t filter -F iptables -t nat -F iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT # accept loopback iptables -A INPUT -i lo -j ACCEPT # for testing iptables -I FORWARD -j LOG --log-prefix 'forward rules start *******' iptables -I INPUT -j LOG --log-prefix 'input rules start *******' iptables -I OUTPUT -j LOG --log-prefix 'output rules start *******' |
Hi,
There could be a syntax error in your FORWARD chain rules. Post some of the rules so we can figure out whats wrong. |
I have not included routing rules for that very reason. The script I have posted should put entries in the log regardless of any routing rules. Indeed the input and output statements do put entries in the log. So why does the forward log statement not put an entry in the log?
I think maybe there is some switch somewhere that I need to flick besides ip_forward. |
Perhaps it is an issue with the other settings?
I have a windows machine with the proxy set to 192.168.0.6:80 192.168.0.6 is my linux box. I have no server or other software listening on port 80. 192.168.0.1 is my standard router for my wireless network on wlan0. It is also connected via cable to the laptop on eth0 Oh and I have done a iptables -v -x -n -L. This shows zero packets hitting the FORWARD chain. |
the answer
Now I feel dumb but maybe others also misunderstand the difference between a proxy and a gateway so here is an explanation.
DIRECT REQUEST you request reddit.com/r/politics with no proxy this has destination=reddit.com path=/r/politics and because it is not on the lan it is routed via the router gateway=192.168.0.1 PROXY REQUEST you request reddit.com/r/politics and you have set a proxy server 192.168.0.6:80 this has destination=192.168.0.6:80 and path=reddit.com/r/politics it arrives at 192.168.0.6 as final destination it is filtered by iptables INPUT rules the proxy server receives the message "reddit.com/r/politics". It does whatever it is programmed to do. Perhaps issues a new request to reddit/r/politics the new request is filtered by iptables OUTPUT rules the response is filtered by iptables INPUT rules the proxy server sends the response to the client the message to the client is filtered by iptables OUTPUT rules USING LINUX BOX AS GATEWAY you request reddit.com/r/politics with no proxy and the gateway has been set to linux box on 192.168.0.6 this has destination=reddit.com path=/r/politics and because it is not on the lan routes it via the router gateway=192.168.0.6 it is filtered by the FORWARD rules. So I need to set the gateway address on the client either manually or running a DHCP server on the linux box. |
All times are GMT -5. The time now is 09:53 PM. |