LinuxQuestions.org
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   forward rules explanation in iptables (https://www.linuxquestions.org/questions/linux-newbie-8/forward-rules-explanation-in-iptables-4175463884/)

sam_sung 05-29-2013 01:16 AM
forward rules explanation in iptables
 
Can someone explain me what r the two forward rules doing in this iptable?
Code:
iptables -F
iptables -X

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -s 192.168.23.0/24 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth1 -s 192.168.23.0/24 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -t nat -F
iptables -t nat -X

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.23.0/24 -j SNAT --to-source 163.63.11.201

acid_kewpie 05-29-2013 01:33 AM
the first says that anyting entering eth1 with a source address of 192.168.23.0/24 that has not been seen before will be permitted to route through the box. the second says any traffic for existing connections will be permitted to route through the box.

Ygrex 05-29-2013 01:36 AM
it is all about connection states: http://www.iptables.info/en/connection-state.html

briefly say, only traffic originated in the private network is allowed

sam_sung 05-29-2013 10:31 AM
i want to ask how iptables knows a packet is to be forwarded and must apply these rules.

Ygrex 05-29-2013 10:34 AM
it is covered clear in the doc, just click that link

sam_sung 05-29-2013 10:37 AM
Quote:
Originally Posted by Ygrex (Post 4961414)
it is covered clear in the doc, just click that link
i did read that document but could not find the information about how iptables knows a packet is to be forwarded and must apply these rules.

acid_kewpie 05-29-2013 10:46 AM
it knows when it receives a packet with it's MAC address, but not it's own IP address.

sam_sung 05-29-2013 10:51 AM
Quote:
Originally Posted by acid_kewpie (Post 4961423)
it knows when it receives a packet with it's MAC address, but not it's own IP address.
thanx for ur reply chris. but i didn't quite understand it. could you please explain it in little detail.

Ygrex 05-29-2013 11:02 AM
well, locally generated traffic does not traverse any FORWARD chains, other traffic is tested against the destination IP-address:
Code:
$ ip r g 127.0.0.1 | cut -d' ' -f1
local
$ ip r g 8.8.8.8 | cut -d' ' -f1
8.8.8.8

sam_sung 05-29-2013 11:09 AM
Quote:
Originally Posted by Ygrex (Post 4961435)
well, locally generated traffic does not traverse any FORWARD chains, other traffic is tested against the destination IP-address:
Code:
$ ip r g 127.0.0.1 | cut -d' ' -f1
local
$ ip r g 8.8.8.8 | cut -d' ' -f1
8.8.8.8
sorry i am not a very expert in linux. i still didn't get it :confused:

acid_kewpie 05-29-2013 11:14 AM
this has nothing at all to do with Linux. Just saying "i don't get it" isn't really helping us help you.

sam_sung 05-29-2013 11:23 AM
Quote:
Originally Posted by acid_kewpie (Post 4961448)
this has nothing at all to do with Linux. Just saying "i don't get it" isn't really helping us help you.
i am trying to understand the concept, but can't really understand it as i am not expert as u guys are. The things you guys are saying are not easy for me to understand.

acid_kewpie 05-29-2013 11:23 AM
so what bit don't you understand? and what do you specifically want to know?

sam_sung 05-29-2013 11:32 AM
Quote:
Originally Posted by acid_kewpie (Post 4961455)
so what bit don't you understand? and what do you specifically want to know?
i understood every line of this iptable but couldn't just understood this thing that how iptables knows a packet is to be forwarded and must apply these rules.

acid_kewpie 05-29-2013 11:35 AM
Quote:
Originally Posted by acid_kewpie (Post 4961423)
it knows when it receives a packet with its MAC address, but not it's own IP address.
that still seems to cover it all for me... so what's missing from your perspective?


All times are GMT -5. The time now is 05:33 PM.
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page