iptables
 

hey
need help
actually i read many sites about iptables but i need to know this mechanism of :
-i know when i SYN (open page) it go via output, then SYN-ACK (Reply page) At INPUT. Right
-let say i have server and clients so why i when i do:
1) on OUTPUT :iptables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
2) on INPUT: iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
3) on FORWARD: iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
( all clients can open anything regardless if i DROP or Decline for ex: i want specific ports on forward to only open) why not happen!
my theory is that clients when they open page ( it go from FORWARD to OUTPUT then page reply to INPUT and forward it to FORWARD chain) can someone tell me how this happen and if i'm wrong! really, i read many sites and didn't got it exactly this one!
Thanks alot for your help , and hope someone can help me!

NOTE: All Policies Are in DROP Mode (The INPUT,OUTPUT,And The FORWARD CHAIN)

Take Care...

hey anybody can help!?
thx

That would explain why you can't receive any packets.

Everything you say is -- apart from being totally confused and hard to decipher -- basically wrong.

OUTPUT: Any traffic originating from your machine. (Note: That does *not* mean the connection was initiated by you.)
INPUT: Any traffic destined to your machine.
FORWARD: Any traffic arriving on your machine from outside, but destined somewhere else.

FORWARD-packets pass neither through INPUT, nor through OUTPUT! (They used to, in the old days of ipfwadm and ipchains, but not with iptables anymore).

One thing to remember is, you only use the FORWARD chain when you have 2 devices eg. 2 network cards on the same machine. If you have only 1 network card, then you would only use INPUT and OUTPUT chains.

hey Thanks
Actually i have 2 network cards ( one for Internet and Ohter for Lan)
i make nat
so if i want to block my client of open for example telnet (23), i should block it at: OUTPUT Chain?
since as saying : FORWARD: Any traffic arriving on your machine from outside, but destined somewhere else.
(Forward is destined , i want client to not open which mean block at Output = traffic going out from the device)?
Ok i'll give an example :
Server A --eth3 (Internet)
--eth1 (Lan)
if client on eth1 open msn (1863) : (Output Chain )Source - ip of client, Destination: ip of msn
now MSN want to reply (it reply on forward: Source Ip : Msn , destination Ip (eth3 which will forward it to eth1) ? is that ok?
Thanks alot hope to be right!
Thanks

i understand INPUT AND OUTPUT
and i did this now :
Server A =>Eth3=>192.168.1.66
=> Eth1=>192.168.0.1
# Generated by iptables-save v1.4.1.1 on Fri Nov 13 19:59:30 2009
*filter
:INPUT DROP [2179:482874]
:FORWARD ACCEPT [130:25204]
:OUTPUT DROP [1277:108233]
-A INPUT -d 127.0.0.1/32 -j ACCEPT
-A INPUT -d 192.168.1.66/32 -i eth3 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "DNS Port Inciming on Interface Eth3 local Connection" -j ACCEPT
-A INPUT -d 192.168.1.66/32 -i eth3 -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -m comment --comment "HTTP Port Inciming on Interface Eth3 local Connection" -j ACCEPT
-A INPUT -d 192.168.1.66/32 -i eth3 -p tcp -m tcp --sport 443 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Incoming to SSL/HTTPS Traffic with outgoing Interface Eth3 Local" -j ACCEPT
-A INPUT -d 192.168.1.66/32 -i eth3 -p tcp -m tcp --sport 1863 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Incoming to MSN Traffic with outgoing Interface Eth3 Local" -j ACCEPT
-A INPUT -s 192.168.0.26/32 -d 192.168.0.1/32 -p tcp -m comment --comment "SSH" -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.26/32 -d 192.168.0.1/32 -p icmp -m icmp --icmp-type 8 -m comment --comment "ICMP Request from 192.168.0.26" -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
-A OUTPUT -s 192.168.0.1/32 -d 192.168.0.0/24 -p tcp -m comment --comment "SSH" -m tcp --sport 22 -j ACCEPT
-A OUTPUT -s 192.168.1.66/32 -o eth3 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Outgoing to DNS with outgoing Interface Eth3 Local" -j ACCEPT
-A OUTPUT -s 192.168.1.66/32 -o eth3 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Outgoing to HTTP Traffic with outgoing Interface Eth3 Local" -j ACCEPT
-A OUTPUT -s 192.168.1.66/32 -o eth3 -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Outgoing to SSL HTTPS Traffic with outgoing Interface Eth3 Local" -j ACCEPT
-A OUTPUT -s 192.168.1.66/32 -o eth3 -p tcp -m tcp --dport 1863 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Outgoing to MSN Traffic with outgoing Interface Eth3 Local" -j ACCEPT
-A OUTPUT -s 192.168.0.1/32 -d 192.168.0.26/32 -p icmp -m icmp --icmp-type 0 -m comment --comment "ICMP Reply for 192.168.0.26" -j ACCEPT
COMMIT
# Completed on Fri Nov 13 19:59:30 2009
# Generated by iptables-save v1.4.1.1 on Fri Nov 13 19:59:30 2009
*mangle
:PREROUTING ACCEPT [238248:22318799]
:INPUT ACCEPT [233101:21596808]
:FORWARD ACCEPT [4572:648131]
:OUTPUT ACCEPT [160307:332289017]
:POSTROUTING ACCEPT [163167:332828812]
-A FORWARD -p tcp -m tcp --dport 3128 -j ECN --ecn-tcp-remove
-A FORWARD -p tcp -m tcp --dport 80 -j ECN --ecn-tcp-remove
-A FORWARD -p tcp -m tcp --dport 1863 -j ECN --ecn-tcp-remove
-A POSTROUTING -o eth3 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Nov 13 19:59:30 2009
# Generated by iptables-save v1.4.1.1 on Fri Nov 13 19:59:30 2009
*nat
:PREROUTING ACCEPT [1739:136085]
:POSTROUTING ACCEPT [2038:95793]
:OUTPUT ACCEPT [6158:385735]
-A POSTROUTING -o eth3 -j MASQUERADE
COMMIT
# Completed on Fri Nov 13 19:59:30 2009
/////////////////////////////
now i want to let my client to open for example only MSN 1863 and 443
as you said Outgoing : is any traffic orginating from machine
and INPUT any traffic Destined to machine
and FORWARD is any traffic arrive to my machine destined to somewhere else
so if i want to add client open MSN and 443 i should do
iptables -A OUTPUT -s 192.168.0.26 -p tcp --dport 1863 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.26 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 192.168.0.26 -p tcp --sport 1863 -j ACCEPT
iptables -A FORWARD -d 192.168.0.26 -p tcp --sport 443 -j ACCEPT
(is That Right?) Thanks

No that isn't right, since you have 2 network cards, you are routing between to different networks, 192.168.0.0 and 192.168.1.0 You don't use the INPUT or OUTPUT chains at all for this, only FORWARD chain.

So some simple rules to allow the traffic to flow across the router would look something like this:


This is of course just a simple example, if the router itself needs to get information from you ISP, say you obtain your ipaddress from a DHCP server , then you would need INPUT and OUTPUT chains:

hey Thanks now i Got it!
one more thing,
if i want to load balance between 2 isp. can i do it with nat? it didn't work with me to nat! actually, if i specify port's such as: 80 to to ISP1 and 1863 go to ISP2 it work but i want to load balance, does it work with iptables?

Thanks

Unfortunately I have never done load balancing before, so I cannot help in this area. You may need to do a google search for this one, I would say that it could be done some how, this page has some information on load balancing with iptables, it might be worth shot.


http://linuxgazette.net/108/odonovan.html

Check out http://lartc.org/howto/

Thx alot footguy and settntrenz :D

Glad to help out.