LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   IPTABLES: How Packets Traverse The Filters (https://www.linuxquestions.org/questions/linux-security-4/iptables-how-packets-traverse-the-filters-590460/)

SBN 10-09-2007 03:13 AM
IPTABLES: How Packets Traverse The Filters
 
Quote:
1. When a packet comes in (say, through the Ethernet card) the kernel first looks at the destination of the packet: this is called `routing'.
2. If it's destined for this box, the packet passes downwards in the diagram, to the INPUT chain. If it passes this, any processes waiting for that packet will receive it.
3. Otherwise, if the kernel does not have forwarding enabled, or it doesn't know how to forward the packet, the packet is dropped. If forwarding is enabled, and the packet is destined for another network interface (if you have another one), then the packet goes rightwards on our diagram to the FORWARD chain. If it is ACCEPTed, it will be sent out.
hey guys is this statements true even if the packets came from the LAN or the Internet?

acid_kewpie 10-09-2007 03:17 AM
what do youi mean "even if"? that's the only place that's relevant (save for loopback...) where else is you traffic going to come from? you can't distinguish between where a packet came from, that's illogical at that low low level. if you wish to distinguish between local and remote ip's then that's up to you to configure the iptables rules to suit.

almatic 10-09-2007 07:04 AM
before the routing decision the rules in the prerouting chain are applied (hence the name), which gives you direct influence on the routing decision as you can manipulate the packets before the routing decision is made.
Maybe the author intentionally disregarded the nat table.

Other than that, the quotation is correct.

SBN 10-09-2007 07:25 PM
Quote:
what do youi mean "even if"? that's the only place that's relevant (save for loopback...) where else is you traffic going to come from? you can't distinguish between where a packet came from, that's illogical at that low low level. if you wish to distinguish between local and remote ip's then that's up to you to configure the iptables rules to suit.
sorry i was confused with the routing process, i was thinking that since if the firewall is also the gateway all connection to the net will be destined to the firewall so it will directly go to the INPUT chain not the FORWARD chain.

Quote:
before the routing decision the rules in the prerouting chain are applied (hence the name), which gives you direct influence on the routing decision as you can manipulate the packets before the routing decision is made.
Maybe the author intentionally disregarded the nat table.

Other than that, the quotation is correct.
by my understanding the statements are saying that the kernel automatically detects if a packet is destined for the firewall or to be forwarded, is it? or do you manually do it on the routing decision?


All times are GMT -5. The time now is 11:21 AM.