iptables forward rules

-x-Ed-x- · 09-23-2002, 03:47 PM

I have recently converted our firewall from ipchains to iptables. Op system: RH7.3, kernel: 2.4.18-3

Bear in mind that ipchains was working great. The reason for changeover was primarily new features and stateless support.

In the filter table, the INPUT and OUTPUT chains are performing exactly the way they are supposed to. However, the problem lies within the FORWARD chain.

The ONLY way I can make the FORWARD chain support traffic into and out of our LAN is to make two rules like so:
iptables -A FORWARD -p ALL -i eth1 -s 192.168.0.0/24 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p ALL -i eth0 -o eth1 -d 192.168.0.0/24 -m state --state ESTABLISHED -j ACCEPT

one for traffic coming into the LAN interface and one for traffic coming into the WAN interface.

Correct me if I'm wrong, but isn't the FORWARD chain supposed to be applicable to packets passing thru the firewall and then automatically allow traffic back to the originating client without having to specify two different rules?

Any help is GREATLY appreciated!

NOTES:
WAN interface: eth0
LAN interface: eth1
internal network: 192.168.0.0

Hko · 09-23-2002, 05:33 PM

Have you tried:

echo 1 > /proc/sys/net/ipv4/ip_forward

in the iptables-script?

-x-Ed-x- · 09-23-2002, 05:39 PM

Tried this:
echo 1 > /proc/sys/net/ipv4/ip_forward

and this:
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do echo 1 > $f
done

no luck

peter_robb · 09-24-2002, 02:51 AM

The FORWARD chain certainly does operate on packets whose destination ISNT the firewall itself.
As far as automatically knowing which packets to let through, this is handled by rules.
If your default POLICY is DROP, then you need to make rules to allow packets to pass through.
And vice versa, if your default POLICY is ACCEPT, you need rules to decide what to DROP or REJECT.

Usually, you can trust the outward traffic from the LAN, however, after doing a lot of work stopping irc, Kazaa and similar services from going out, you may decide a DROP POLICY is better and then specifically allow services.
I personally find it easier to use an ACCEPT policy and then limit the traffic with proxies and rules rather than a straight DROP POLICY.
Netfilter can do all the filtering by word content etc if you use the Patchomatic, but it's an extremely large ruleset.
This is the beauty of the state matching machine. It avoids having to make returning packet rules.
The -o LAN -m state --state ESTABLISHED,RELATED -j ACCEPT handles it all.
Try this tutorial http://www.netfilter.org/documentati...ials/blueflux/

Regards,
Peter