Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 09-23-2002, 04:47 PM   #1
LQ Newbie
Registered: Sep 2002
Location: Soperton, Ga
Distribution: RedHat
Posts: 2

Rep: Reputation: 0
iptables forward rules

I have recently converted our firewall from ipchains to iptables. Op system: RH7.3, kernel: 2.4.18-3

Bear in mind that ipchains was working great. The reason for changeover was primarily new features and stateless support.

In the filter table, the INPUT and OUTPUT chains are performing exactly the way they are supposed to. However, the problem lies within the FORWARD chain.

The ONLY way I can make the FORWARD chain support traffic into and out of our LAN is to make two rules like so:
iptables -A FORWARD -p ALL -i eth1 -s -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p ALL -i eth0 -o eth1 -d -m state --state ESTABLISHED -j ACCEPT

one for traffic coming into the LAN interface and one for traffic coming into the WAN interface.

Correct me if I'm wrong, but isn't the FORWARD chain supposed to be applicable to packets passing thru the firewall and then automatically allow traffic back to the originating client without having to specify two different rules?

Any help is GREATLY appreciated!

WAN interface: eth0
LAN interface: eth1
internal network:

Last edited by -x-Ed-x-; 09-23-2002 at 04:48 PM.
Old 09-23-2002, 06:33 PM   #2
Senior Member
Registered: Aug 2002
Location: Groningen, The Netherlands
Distribution: Debian
Posts: 2,536

Rep: Reputation: 111Reputation: 111
Have you tried:

echo 1 > /proc/sys/net/ipv4/ip_forward

in the iptables-script?
Old 09-23-2002, 06:39 PM   #3
LQ Newbie
Registered: Sep 2002
Location: Soperton, Ga
Distribution: RedHat
Posts: 2

Original Poster
Rep: Reputation: 0
Tried this:
echo 1 > /proc/sys/net/ipv4/ip_forward

and this:
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do echo 1 > $f

no luck
Old 09-24-2002, 03:51 AM   #4
Senior Member
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
The FORWARD chain certainly does operate on packets whose destination ISNT the firewall itself.
As far as automatically knowing which packets to let through, this is handled by rules.
If your default POLICY is DROP, then you need to make rules to allow packets to pass through.
And vice versa, if your default POLICY is ACCEPT, you need rules to decide what to DROP or REJECT.

Usually, you can trust the outward traffic from the LAN, however, after doing a lot of work stopping irc, Kazaa and similar services from going out, you may decide a DROP POLICY is better and then specifically allow services.
I personally find it easier to use an ACCEPT policy and then limit the traffic with proxies and rules rather than a straight DROP POLICY.
Netfilter can do all the filtering by word content etc if you use the Patchomatic, but it's an extremely large ruleset.
This is the beauty of the state matching machine. It avoids having to make returning packet rules.
The -o LAN -m state --state ESTABLISHED,RELATED -j ACCEPT handles it all.
Try this tutorial


Last edited by peter_robb; 09-24-2002 at 04:02 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Block FORWARD Rules Manuel-H Linux - Security 1 01-22-2005 12:06 AM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 02:40 AM
iptables forward? Bambi Linux - Security 2 10-02-2003 11:15 AM
iptables FORWARD ArnaudVR Linux - Security 6 07-07-2003 06:05 PM
Do I need FORWARD-Rules? grubjo Linux - Security 3 08-02-2002 01:45 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:15 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration