LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-09-2007, 03:13 AM   #1
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Rep: Reputation: 30
IPTABLES: How Packets Traverse The Filters


Quote:
1. When a packet comes in (say, through the Ethernet card) the kernel first looks at the destination of the packet: this is called `routing'.
2. If it's destined for this box, the packet passes downwards in the diagram, to the INPUT chain. If it passes this, any processes waiting for that packet will receive it.
3. Otherwise, if the kernel does not have forwarding enabled, or it doesn't know how to forward the packet, the packet is dropped. If forwarding is enabled, and the packet is destined for another network interface (if you have another one), then the packet goes rightwards on our diagram to the FORWARD chain. If it is ACCEPTed, it will be sent out.
hey guys is this statements true even if the packets came from the LAN or the Internet?
 
Old 10-09-2007, 03:17 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,407

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
what do youi mean "even if"? that's the only place that's relevant (save for loopback...) where else is you traffic going to come from? you can't distinguish between where a packet came from, that's illogical at that low low level. if you wish to distinguish between local and remote ip's then that's up to you to configure the iptables rules to suit.
 
Old 10-09-2007, 07:04 AM   #3
almatic
Member
 
Registered: Mar 2007
Distribution: Debian
Posts: 547

Rep: Reputation: 67
before the routing decision the rules in the prerouting chain are applied (hence the name), which gives you direct influence on the routing decision as you can manipulate the packets before the routing decision is made.
Maybe the author intentionally disregarded the nat table.

Other than that, the quotation is correct.
 
Old 10-09-2007, 07:25 PM   #4
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
Quote:
what do youi mean "even if"? that's the only place that's relevant (save for loopback...) where else is you traffic going to come from? you can't distinguish between where a packet came from, that's illogical at that low low level. if you wish to distinguish between local and remote ip's then that's up to you to configure the iptables rules to suit.
sorry i was confused with the routing process, i was thinking that since if the firewall is also the gateway all connection to the net will be destined to the firewall so it will directly go to the INPUT chain not the FORWARD chain.

Quote:
before the routing decision the rules in the prerouting chain are applied (hence the name), which gives you direct influence on the routing decision as you can manipulate the packets before the routing decision is made.
Maybe the author intentionally disregarded the nat table.

Other than that, the quotation is correct.
by my understanding the statements are saying that the kernel automatically detects if a packet is destined for the firewall or to be forwarded, is it? or do you manually do it on the routing decision?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Save iptables filters yhus Red Hat 3 07-30-2005 04:01 AM
iptables won't let packets in - check please? Simon Bridge Linux - Security 3 01-26-2004 01:49 PM
iptables (Fragmented packets) qwijibow Linux - Security 2 09-02-2003 06:40 AM
Iptables letting packets through? mccomber Linux - Security 9 08-05-2003 07:13 AM
how packets traverse thru iptables chains? hardigunawan Linux - Security 1 01-09-2003 01:50 AM


All times are GMT -5. The time now is 01:39 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration