How iptables directs to localhost in this series of iptable rules
 

Hello,

I have implimented a dansguardian system using dansguardian and privoxy. I borrowed a script from Ubuntu CE that makes it where a firewall program like firehol is not needed and it doesn't need a reconfigure of the proxy settings in browsers to be changed. I really like it that way. All is working well from that standpoint. I want to fully understand HOW it works on the iptables rules, though. I have most of it. Included is the code from my /etc/init.d/dansguardian_firewall init routine. Above this, I am going to make comments and ask questions. What I ask is for someone to help me understand fully how it works, esp the postrouting nat and output nat rules that are the business end of sending all web requests to localhost where it can be managed by Dansguardian.

# I understand this flushes any -t filter rules

iptables -F

# This removes any user-created chains in -t filter

iptables -X

# This flushes any -t nat chain rules

iptables -t nat -F

# This removes and user-created -t nat chains

iptables -t nat -X

# This flushes -t mangle

iptables -t mangle -F

# This removes user-created -t mangle chains

iptables -t mangle -X

# This sets the firewall policies on FORWARD to accept, not sure what FORWARD does. Any explaination would be appreciated.

iptables -P FORWARD ACCEPT

# This sets the firewall policy to accept all outbound traffic

iptables -P OUTPUT ACCEPT

# Here is where I start having a lot of trouble. What is the postrouting mean verses prerouting, etc? What is the -t nat doing actually? Is -o because it is being directed to localhost (127.0.0.1). I understand -p tcp that this limits it to the tcp protocol (not UDP or both). --dport is short for -m tcp --dport 8080 to cause it to direct it to port 127.0.0.1:8080 where dansguardian is listening. What is -j SNAT --to 127.0.0.1 exactly doing? How is it directing to localhost in the first place? Why does it go on POSTROUTING instead of OUTPUT?

iptables -A POSTROUTING -t nat -o lo -p tcp --dport 8080 -j SNAT --to 127.0.0.1

# This is saying to make request not by root and not to 127.0.0.1 to route port 80 direct to localhost 8080 where dansguardian is listening, right? Further elaboration is appreciated. If this is so, it would make more sense to me to have this rule before the previous rule. Does it matter? If so, why? Why is it on OUTPUT and not POSTROUTING?

iptables -A OUTPUT -t nat ! -d 127.0.0.1 -p tcp --dport 80 -m owner ! --uid-owner root -j REDIRECT --to-ports 8080

# Sets the policy on incoming connects to DROP (modified by the rules below)

iptables -P INPUT DROP

# This makes inbound request to localhost accepted. Why is this necessary? If this isn't included, then web sites won't load. I'm sure it has to do with dansguardian working over localhost, but please give me a more full understanding.

iptables -A INPUT -i lo -j ACCEPT

# Here is something I really don't undrstand. If this rule isn't included, allowed and blocked web sites won't load. I removed the RELATED, and it still loaded. I removed just the ESTABLISHED, and it wouldn't load. What is it that is established that it is accepting? Much elaboration needed here.

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#I wrote many of these rules below and understand why they work. It is looking for new connect attempts to those ports that are needed for various services (I dn't run a web or mail server, so I don't leave those open).

## Open port for ssh server (22), web server (80), and mail server (25)
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
#iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
#iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

## Uncomment below to open NSF port, edit the port accoring actual setting
iptables -A INPUT -p tcp --dport 111 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 111 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 2049 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 2049 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 4045 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 4045 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 32771 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 32771 -m state --state NEW -j ACCEPT
## Open ports for NSF end

#Accept Ping request
iptables -A INPUT -p icmp -j ACCEPT

## Drop other packets, Logging, and closing firewall.

#What is this rule actually doing?

iptables -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP

#What is this rule actually doing?

iptables -A INPUT -d 224.0.0.1 -j DROP

#What is this rule actually doing?

iptables -A INPUT -j LOG

#What is this rule actually doing?

iptables -A INPUT -j REJECT

Further explaination is much appreciated.

Kind Regards,
Narnie

Hi Narnie,

Let's first clarify few things.
You are not experiencing a problem on your system? Are you?
You want to understand the configuration of your iptable. You already figured out what some lines means, and you want to understand the others. For that I will recommend you to read the man pages of iptables. You are asking too many questions, that I am afraid isolated answers can lead to confusion. Read the man pages, and then come back with specific concerns if any remain.

Regards,

Tshimanga.

As tshikose said,

RTFM
then
http://www.linuxhomenetworking.com/w...Using_iptables - This link gives quite a good intro to iptables.

then, read them both again...

Then, backup those rules (if they work for you), and get your hands dirty building your own set of rules..
You may also want to have a look at hping3 and nmap (again, RTFM) for testing..

No, everything is working as I want it to as it blocks unwanted sites and allows wanted sites, I just want to fully understand how. I have read the man pages re: them already. My problem is that I'm on the steep learning curve and don't have the background to understand some of the intricacies of what is going on (like the nat rules and what is the deal with the 255.255.255.255/0.0.0.255 and 224.0.0.1 rules, what are those number?).

My setup is client browser -> iptables -> Dansguardian -> privoxy -> Linksys hardware router -> world internet one machine, no server computers involved so it is filtering the traffic from one machine.

Thanks,
Narnie

Mate,
I taught myself iptables from the link i posted above, and reading the man pages... and im a welder by trade, if i can do it, you can too :)

Those numbers, the left side of the / is the ip address, the right side is the subnet. 255.255.255.255 is a broadcast address, used to send to all other ip's on the subnet.

http://lartc.org/howto/ is another good site to learn all this stuff, but its fairly detailed..

Thanks, fukawi1. And also thanks for the encouragement :)

Narnie