LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   help with iptables rule!! (http://www.linuxquestions.org/questions/linux-security-4/help-with-iptables-rule-380977/)

vishamr2000 11-08-2005 12:45 AM

help with iptables rule!!
 
Hi to all,

I wanted some confirmation about the following:

iptables -A FORWARD -i eth0 -o eth0 -s 192.168.10.2/24 -d
192.168.10.3/24 -p icmp --icmp-type echo-request -j ACCEPT

With a rule like the above, does the destination mac address change to
that of PC with ip address 192.168.10.3 from that of the PC that is performing the forwarding (i.e PC in which this is rule is found)?

regards,
Visham

avatarfx 11-08-2005 03:43 AM

The destination MAC address does not travel with the packet because that belongs to Layer 2. The Mac address is going to be retreived after the packet enters to your network. If you do that inside of your network, the computer forwarding the packet will broadcast again (or retreive from it's ARP table) the MAC address of 192.168.10.3.

fotoguy 11-08-2005 06:00 AM

Re: help with iptables rule!!
 
Quote:

Originally posted by vishamr2000
Hi to all,

I wanted some confirmation about the following:

iptables -A FORWARD -i eth0 -o eth0 -s 192.168.10.2/24 -d
192.168.10.3/24 -p icmp --icmp-type echo-request -j ACCEPT

With a rule like the above, does the destination mac address change to
that of PC with ip address 192.168.10.3 from that of the PC that is performing the forwarding (i.e PC in which this is rule is found)?

regards,
Visham

Plus the rule is not correct you have the `-i eth0 -o eth0` it must have the other interface that you are forwarding too like `-i eth0 -o eth1`

vishamr2000 11-09-2005 12:43 AM

Hi to all,

Many thx to avatarfx & fotoguy for the replies...

<quote>
Plus the rule is not correct you have the `-i eth0 -o eth0` it must have the other interface that you are forwarding too like `-i eth0 -o eth1`
</quote>

The rule i wrote is correct..u can receive and transmit on the same interface because we use 2 pairs of receive & trasmit lines in a NIC. So ' -i eth0 -o eth0' stands.

I have a PC to which i send traffic. Depending on the src and dst ip adrs, it forwards the traffic. I enabled ip forwarding on the PC and i have the above iptables rule doing the forwarding. Basically the problem that I face is that when i have two NICs active in that PC, icmp traffic is fwded but it does not go out of the same interface on which it was received but rather from the other NIC, which is not what i want. It's like the traffic is received on eth0, fwded to eth1 and then out through eth1. It should normally have been received on eth0 and out through eth0 itself.

When i disable one of the NICs, icmp traffic is no longer fwded. Actually the rule should work even when you have only one NIC.

If anyone knows what i'm doing wrong, or actually not doing, pls let me know..

Thx again..

Warm regards,
Visham

fotoguy 11-09-2005 01:18 AM

Quote:

Originally posted by vishamr2000
Hi to all,

Many thx to avatarfx & fotoguy for the replies...

<quote>
Plus the rule is not correct you have the `-i eth0 -o eth0` it must have the other interface that you are forwarding too like `-i eth0 -o eth1`
</quote>

The rule i wrote is correct..u can receive and transmit on the same interface because we use 2 pairs of receive & trasmit lines in a NIC. So ' -i eth0 -o eth0' stands.

I have a PC to which i send traffic. Depending on the src and dst ip adrs, it forwards the traffic. I enabled ip forwarding on the PC and i have the above iptables rule doing the forwarding. Basically the problem that I face is that when i have two NICs active in that PC, icmp traffic is fwded but it does not go out of the same interface on which it was received but rather from the other NIC, which is not what i want. It's like the traffic is received on eth0, fwded to eth1 and then out through eth1. It should normally have been received on eth0 and out through eth0 itself.

When i disable one of the NICs, icmp traffic is no longer fwded. Actually the rule should work even when you have only one NIC.

If anyone knows what i'm doing wrong, or actually not doing, pls let me know..

Thx again..

Warm regards,
Visham

I stand corrected. With what I know tabout the forwarding rule, it must forward the packet to the next interface that is what the forwarding chain is designed to do, I'm am curious as to why you want the icmp packet to go in and out of the same device

vishamr2000 11-09-2005 05:11 AM

Quote:

"I'm am curious as to why you want the icmp packet to go in and out of the same device."
Well I have only one NIC ;-) ..the PC does some processing on incoming traffic and then redirects them out of the same interface for their final destination. That's all..

One thing though, i once asked the guys from the netfilter mailig-list. They told me that the rue was good.

Regards,
Visham

fotoguy 11-09-2005 06:34 AM

Fair enough


All times are GMT -5. The time now is 01:06 PM.