LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-29-2013, 01:16 AM   #1
sam_sung
LQ Newbie
 
Registered: Oct 2012
Posts: 27

Rep: Reputation: Disabled
forward rules explanation in iptables


Can someone explain me what r the two forward rules doing in this iptable?
Code:
iptables -F
iptables -X

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -s 192.168.23.0/24 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth1 -s 192.168.23.0/24 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -t nat -F
iptables -t nat -X

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.23.0/24 -j SNAT --to-source 163.63.11.201
 
Old 05-29-2013, 01:33 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
the first says that anyting entering eth1 with a source address of 192.168.23.0/24 that has not been seen before will be permitted to route through the box. the second says any traffic for existing connections will be permitted to route through the box.
 
1 members found this post helpful.
Old 05-29-2013, 01:36 AM   #3
Ygrex
Member
 
Registered: Nov 2004
Location: Russia (St.Petersburg)
Distribution: Debian
Posts: 666

Rep: Reputation: 68
it is all about connection states: http://www.iptables.info/en/connection-state.html

briefly say, only traffic originated in the private network is allowed
 
Old 05-29-2013, 10:31 AM   #4
sam_sung
LQ Newbie
 
Registered: Oct 2012
Posts: 27

Original Poster
Rep: Reputation: Disabled
i want to ask how iptables knows a packet is to be forwarded and must apply these rules.
 
Old 05-29-2013, 10:34 AM   #5
Ygrex
Member
 
Registered: Nov 2004
Location: Russia (St.Petersburg)
Distribution: Debian
Posts: 666

Rep: Reputation: 68
it is covered clear in the doc, just click that link
 
Old 05-29-2013, 10:37 AM   #6
sam_sung
LQ Newbie
 
Registered: Oct 2012
Posts: 27

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ygrex View Post
it is covered clear in the doc, just click that link
i did read that document but could not find the information about how iptables knows a packet is to be forwarded and must apply these rules.
 
Old 05-29-2013, 10:46 AM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
it knows when it receives a packet with it's MAC address, but not it's own IP address.
 
Old 05-29-2013, 10:51 AM   #8
sam_sung
LQ Newbie
 
Registered: Oct 2012
Posts: 27

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
it knows when it receives a packet with it's MAC address, but not it's own IP address.
thanx for ur reply chris. but i didn't quite understand it. could you please explain it in little detail.
 
Old 05-29-2013, 11:02 AM   #9
Ygrex
Member
 
Registered: Nov 2004
Location: Russia (St.Petersburg)
Distribution: Debian
Posts: 666

Rep: Reputation: 68
well, locally generated traffic does not traverse any FORWARD chains, other traffic is tested against the destination IP-address:
Code:
$ ip r g 127.0.0.1 | cut -d' ' -f1
local
$ ip r g 8.8.8.8 | cut -d' ' -f1
8.8.8.8
 
Old 05-29-2013, 11:09 AM   #10
sam_sung
LQ Newbie
 
Registered: Oct 2012
Posts: 27

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ygrex View Post
well, locally generated traffic does not traverse any FORWARD chains, other traffic is tested against the destination IP-address:
Code:
$ ip r g 127.0.0.1 | cut -d' ' -f1
local
$ ip r g 8.8.8.8 | cut -d' ' -f1
8.8.8.8
sorry i am not a very expert in linux. i still didn't get it
 
Old 05-29-2013, 11:14 AM   #11
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
this has nothing at all to do with Linux. Just saying "i don't get it" isn't really helping us help you.
 
Old 05-29-2013, 11:23 AM   #12
sam_sung
LQ Newbie
 
Registered: Oct 2012
Posts: 27

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
this has nothing at all to do with Linux. Just saying "i don't get it" isn't really helping us help you.
i am trying to understand the concept, but can't really understand it as i am not expert as u guys are. The things you guys are saying are not easy for me to understand.
 
Old 05-29-2013, 11:23 AM   #13
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
so what bit don't you understand? and what do you specifically want to know?

Last edited by acid_kewpie; 05-29-2013 at 11:25 AM.
 
Old 05-29-2013, 11:32 AM   #14
sam_sung
LQ Newbie
 
Registered: Oct 2012
Posts: 27

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
so what bit don't you understand? and what do you specifically want to know?
i understood every line of this iptable but couldn't just understood this thing that how iptables knows a packet is to be forwarded and must apply these rules.
 
Old 05-29-2013, 11:35 AM   #15
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
Quote:
Originally Posted by acid_kewpie View Post
it knows when it receives a packet with its MAC address, but not it's own IP address.
that still seems to cover it all for me... so what's missing from your perspective?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables forward rules for OpenVPN & PPTP crspy Linux - Networking 2 04-18-2013 02:12 AM
[SOLVED] why are FORWARD rules ignored in my iptables scripts rainbow3 Linux - Networking 4 09-20-2012 05:53 AM
How to allow only particular browsers in squid3 and IPTables forward rules roopakl Linux - Newbie 1 04-21-2012 10:59 AM
iptables forward rules yawe_frek Linux - Security 1 04-16-2007 03:21 AM
iptables forward rules -x-Ed-x- Linux - Security 3 09-24-2002 02:51 AM


All times are GMT -5. The time now is 11:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration