LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-07-2005, 11:45 PM   #1
vishamr2000
Member
 
Registered: Aug 2004
Posts: 210

Rep: Reputation: 31
help with iptables rule!!


Hi to all,

I wanted some confirmation about the following:

iptables -A FORWARD -i eth0 -o eth0 -s 192.168.10.2/24 -d
192.168.10.3/24 -p icmp --icmp-type echo-request -j ACCEPT

With a rule like the above, does the destination mac address change to
that of PC with ip address 192.168.10.3 from that of the PC that is performing the forwarding (i.e PC in which this is rule is found)?

regards,
Visham
 
Old 11-08-2005, 02:43 AM   #2
avatarfx
Member
 
Registered: May 2004
Posts: 34

Rep: Reputation: 16
The destination MAC address does not travel with the packet because that belongs to Layer 2. The Mac address is going to be retreived after the packet enters to your network. If you do that inside of your network, the computer forwarding the packet will broadcast again (or retreive from it's ARP table) the MAC address of 192.168.10.3.
 
1 members found this post helpful.
Old 11-08-2005, 05:00 AM   #3
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,276

Rep: Reputation: 61
Re: help with iptables rule!!

Quote:
Originally posted by vishamr2000
Hi to all,

I wanted some confirmation about the following:

iptables -A FORWARD -i eth0 -o eth0 -s 192.168.10.2/24 -d
192.168.10.3/24 -p icmp --icmp-type echo-request -j ACCEPT

With a rule like the above, does the destination mac address change to
that of PC with ip address 192.168.10.3 from that of the PC that is performing the forwarding (i.e PC in which this is rule is found)?

regards,
Visham
Plus the rule is not correct you have the `-i eth0 -o eth0` it must have the other interface that you are forwarding too like `-i eth0 -o eth1`
 
1 members found this post helpful.
Old 11-08-2005, 11:43 PM   #4
vishamr2000
Member
 
Registered: Aug 2004
Posts: 210

Original Poster
Rep: Reputation: 31
Hi to all,

Many thx to avatarfx & fotoguy for the replies...

<quote>
Plus the rule is not correct you have the `-i eth0 -o eth0` it must have the other interface that you are forwarding too like `-i eth0 -o eth1`
</quote>

The rule i wrote is correct..u can receive and transmit on the same interface because we use 2 pairs of receive & trasmit lines in a NIC. So ' -i eth0 -o eth0' stands.

I have a PC to which i send traffic. Depending on the src and dst ip adrs, it forwards the traffic. I enabled ip forwarding on the PC and i have the above iptables rule doing the forwarding. Basically the problem that I face is that when i have two NICs active in that PC, icmp traffic is fwded but it does not go out of the same interface on which it was received but rather from the other NIC, which is not what i want. It's like the traffic is received on eth0, fwded to eth1 and then out through eth1. It should normally have been received on eth0 and out through eth0 itself.

When i disable one of the NICs, icmp traffic is no longer fwded. Actually the rule should work even when you have only one NIC.

If anyone knows what i'm doing wrong, or actually not doing, pls let me know..

Thx again..

Warm regards,
Visham
 
1 members found this post helpful.
Old 11-09-2005, 12:18 AM   #5
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,276

Rep: Reputation: 61
Quote:
Originally posted by vishamr2000
Hi to all,

Many thx to avatarfx & fotoguy for the replies...

<quote>
Plus the rule is not correct you have the `-i eth0 -o eth0` it must have the other interface that you are forwarding too like `-i eth0 -o eth1`
</quote>

The rule i wrote is correct..u can receive and transmit on the same interface because we use 2 pairs of receive & trasmit lines in a NIC. So ' -i eth0 -o eth0' stands.

I have a PC to which i send traffic. Depending on the src and dst ip adrs, it forwards the traffic. I enabled ip forwarding on the PC and i have the above iptables rule doing the forwarding. Basically the problem that I face is that when i have two NICs active in that PC, icmp traffic is fwded but it does not go out of the same interface on which it was received but rather from the other NIC, which is not what i want. It's like the traffic is received on eth0, fwded to eth1 and then out through eth1. It should normally have been received on eth0 and out through eth0 itself.

When i disable one of the NICs, icmp traffic is no longer fwded. Actually the rule should work even when you have only one NIC.

If anyone knows what i'm doing wrong, or actually not doing, pls let me know..

Thx again..

Warm regards,
Visham
I stand corrected. With what I know tabout the forwarding rule, it must forward the packet to the next interface that is what the forwarding chain is designed to do, I'm am curious as to why you want the icmp packet to go in and out of the same device
 
Old 11-09-2005, 04:11 AM   #6
vishamr2000
Member
 
Registered: Aug 2004
Posts: 210

Original Poster
Rep: Reputation: 31
Quote:
"I'm am curious as to why you want the icmp packet to go in and out of the same device."
Well I have only one NIC ;-) ..the PC does some processing on incoming traffic and then redirects them out of the same interface for their final destination. That's all..

One thing though, i once asked the guys from the netfilter mailig-list. They told me that the rue was good.

Regards,
Visham
 
Old 11-09-2005, 05:34 AM   #7
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,276

Rep: Reputation: 61
Fair enough
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Question about a iptables rule? rjw1678 Linux - Security 2 11-18-2005 07:46 AM
iptables rule order Kumado Linux - Security 4 10-13-2005 11:12 PM
iptables rule to let samba in phishintrip Linux - Networking 7 10-17-2003 10:25 AM
IPTables Rule... Grim Reaper Linux - Software 8 04-28-2003 12:20 PM
IPTABLES rule file (need help) chris200t Linux - Networking 5 11-11-2002 02:33 PM


All times are GMT -5. The time now is 11:25 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration