Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am a bit late coming to this thread, but I thought I would mention for anyone who comes across it that the link win32sux posted above, to Oskar Andreasson's tutorial is hands down, the most comprehensive tutorial I have ever seen on iptables. Where have you been hiding this gem, win32sux?
So I will define netfilter as:
the packet filtering framework inside the Linux 2.4.x and 2.6.x kernel series
And now the 3.0.x series too, right?
Quote:
and iptables as:
the command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset
Sounds good to me. If you're doing this as part of a paper for school, make sure you follow the citation/reference rules your school uses. Otherwise, it'll look like you're plagiarizing.
Quote:
By the way, if netfilter is part of the kernel itself, does it mean that is the only way to filter packets?
Is it possible to uninstall netfilter and install another thing?
I'm sure it's not only possible, but also quite feasible (given the freely-available source code). That said, I don't really know if anyone's put together such a patch. I do remember having run into at least one thread here in LQSEC where the poster was looking to do precisely that (albeit such a thread would have been moved to Programming), but I don't recall how things played out.
Quote:
Originally Posted by Noway2
Where have you been hiding this gem, win32sux?
LOL! Right next to the rock you've apparently just crawled out from under.
I just need to confirm some conclusions I made for my test:
1. every incoming DNATed packet goes necessarily to FORWARD
2. every outgoing SNATed packet not necessarily comes from FORWARD
3. every forwarded packet was DNATed and will be SNATed
No, you are right, not every packet is DNATed when it goes through PREROUTING.
But like I said in the first 2 points:
1. every incoming DNATed packet goes necessarily to FORWARD
2. every outgoing SNATed packet not necessarily comes from FORWARD
In 1, DNAT happens in PREROUTING
In 2, SNAT happens in POSTROUTING (necessarily if it comes from FORWARD and optionally if it comes from OUTPUT).
That's why I concluded point 3:
3. every forwarded packet was DNATed and will be SNATed
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.