trying to understand the function of iptables I read this tutorial: https://www.tux.ethz.ch/wiki/index.php/IPTABLES. Sorry it is in German, but anyway, the rule that puzzles me is the following:
iptables -A FORWARD -p tcp -d 192.168.0.12 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i $IF_INET -p tcp -d $IF_INET_IP --dport 80 -j DNAT --to 192.168.0.12:80
$IF_INET_IP is apparently the IP address of the wan/external nic
I thought that the eth0 and the IP address of the wan were the same, but then the above rule wouldn't make any sense to me. What am I missing here?
Thanks and regards!
eth0 is the device. If you have 2 network cards they would be called something like eth0 and eth1. Each of these interfaces are also assigned an IP address.
The second of your rules causes your computer to act like a router does. It is re-routing packets that are destined to go to $IF_INET_IP on port 80 to go to 192.168.0.12 on port 80 instead. The -i $IF_INET part means that this rule will only occur if the packets are coming in on your eth0 device.
Thanks for your quick reply: I would think that most of the time $IF_INET and $IF_INET_IP are the same. What is the reason that this command wants these two different parameters if they are the same? In order to control the input when more than one IP address is assigned to this interface?
How should I conceive eth0, eth1 and so on, as far as input is cencerned? As a sort of sink? And all packets that can reach it are processed?
An explanation or directions where I can find docs about this would be highly appreciated as I think understanding above concepts are very important in order to be able to set up the rules correctly!
Again thanks and regards
Imagine that the above rule is used on a computer with two Ethernet cards, eth0 and eth1.
eth0 is connected to the internet
eth1 is connected to your home network
The above rule is looking out for all packets that arrive at eth0 (-i $IF_INET) with the destination of $IF_INET_IP (-d $IF_INET_IP) and changing the destination of that packet to be 192.168.0.12 instead (-j DNAT --to 192.168.0.12:80)
If you had 2 computers on your home network with the IP address' 192.168.0.1 and 192.168.0.2 you could write a similar rule to direct all the traffic that's meant to go to 192.168.0.1 to instead go to 192.168.0.2 like this:
iptables -t nat -A PREROUTING -i eth0 -d 192.168.0.1 -j DNAT --to 192.168.0.2
As for books and tutorials I just learnt by searching Google and getting help from these Forums
Fernet17, your question about the rule parameters for IF_NET and IF_NET_IP:
As you've already noted - IF_NET refers to the physical interface name while the IF_NET_IP refers to an IP address. These are NOT the same thing.
What this rule is doing is commonly called a "sanity check" - it is double checking that a packet coming in to IF_NET_IP ONLY comes in through the eth0 device. This is required/expected if eth0 is connecting externally.
This helps to filter/block any bad programming or hacking attempts where one might try to trick the firewall into letting your bad packet through by creating packets that say they are from an external IP while physically coming into say eth1 (a NIC connected to an internal network.)