Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-09-2007, 04:13 AM
|
#1
|
Member
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474
Rep:
|
IPTABLES: How Packets Traverse The Filters
Quote:
1. When a packet comes in (say, through the Ethernet card) the kernel first looks at the destination of the packet: this is called `routing'.
2. If it's destined for this box, the packet passes downwards in the diagram, to the INPUT chain. If it passes this, any processes waiting for that packet will receive it.
3. Otherwise, if the kernel does not have forwarding enabled, or it doesn't know how to forward the packet, the packet is dropped. If forwarding is enabled, and the packet is destined for another network interface (if you have another one), then the packet goes rightwards on our diagram to the FORWARD chain. If it is ACCEPTed, it will be sent out.
|
hey guys is this statements true even if the packets came from the LAN or the Internet?
|
|
|
10-09-2007, 04:17 AM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
what do youi mean "even if"? that's the only place that's relevant (save for loopback...) where else is you traffic going to come from? you can't distinguish between where a packet came from, that's illogical at that low low level. if you wish to distinguish between local and remote ip's then that's up to you to configure the iptables rules to suit.
|
|
|
10-09-2007, 08:04 AM
|
#3
|
Member
Registered: Mar 2007
Distribution: Debian
Posts: 547
Rep:
|
before the routing decision the rules in the prerouting chain are applied (hence the name), which gives you direct influence on the routing decision as you can manipulate the packets before the routing decision is made.
Maybe the author intentionally disregarded the nat table.
Other than that, the quotation is correct.
|
|
|
10-09-2007, 08:25 PM
|
#4
|
Member
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474
Original Poster
Rep:
|
Quote:
what do youi mean "even if"? that's the only place that's relevant (save for loopback...) where else is you traffic going to come from? you can't distinguish between where a packet came from, that's illogical at that low low level. if you wish to distinguish between local and remote ip's then that's up to you to configure the iptables rules to suit.
|
sorry i was confused with the routing process, i was thinking that since if the firewall is also the gateway all connection to the net will be destined to the firewall so it will directly go to the INPUT chain not the FORWARD chain.
Quote:
before the routing decision the rules in the prerouting chain are applied (hence the name), which gives you direct influence on the routing decision as you can manipulate the packets before the routing decision is made.
Maybe the author intentionally disregarded the nat table.
Other than that, the quotation is correct.
|
by my understanding the statements are saying that the kernel automatically detects if a packet is destined for the firewall or to be forwarded, is it? or do you manually do it on the routing decision?
|
|
|
All times are GMT -5. The time now is 11:56 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|