Find the answer to your Linux question:
Page 2 of 2 FirstFirst 1 2
Results 11 to 19 of 19
iptables rules are composed of chains that handle traffic at different points as it passes into and through a system (firewall, server, router, etc.). The INPUT chain is intended to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Linux Newbie nplusplus's Avatar
    Join Date
    Apr 2010
    Location
    Charlotte, NC, USA
    Posts
    106

    iptables rules are composed of chains that handle traffic at different points as it passes into and through a system (firewall, server, router, etc.). The INPUT chain is intended to handle packets destined for the system itself (think ssh login to the firewall), while the FORWARD chain (I believe) is intended to handle packets that have traveled through the firewall and are headed toward another system on the other side. As far as the absence of a "-d" entry goes, in the absence of -d, the destination is anywhere or all destinations.

    N

  2. #12
    Just Joined!
    Join Date
    Mar 2013
    Posts
    10
    Quote Originally Posted by mizzle View Post
    What exactly are you trying to accomplish with these rules? Perhaps you are confused because you are intending the rules to do something they aren't.
    Ok back to basics. The rules were mentioned in a course of Linux Server security that i'm follow in self study. However it was only mentioned that the purpose of them are for anti-spoofing. Me wouldn't be me if i wouldn't want to know what they actually mean and how they work.

    In the lab exercises that followed the example were only exercises on iptables on the INPUT interface that and since there were only two eth's it was simply to solve except for the one were i have to allow traffic from an incoming TCP connection to active services on the workstation (ref #2 in the original post)

    However what keeps bothering me with the forward rules is the absence of the destination. In my mind i see forward as a post office that sends traffic from point a to b. It kinda hard to position where the forward rule would be handled - but i'm probably making it a little to overcomplicated

    For graphical purposed i created a little graph which has to potential to make communication more simple and the rules more comprehensible in the long run

    image:
    iptables scheme.jpg
    seems to be cropped to unreable - i47.tinypic.com/b3t0yd.png

    source file - i used yed graph editor to created it
    s000.tinyupload.com/ ?file_id=77472421867303665209

    message to mod - admins: i do know i can only post links if post count = 15 - but it for the better purpose of the toppic
    Last edited by Daemorog; 03-13-2013 at 11:46 AM.

  3. #13
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    896
    Quote Originally Posted by Daemorog View Post

    However what keeps bothering me with the forward rules is the absence of the destination. In my mind i see forward as a post office that sends traffic from point a to b. It kinda hard to position where the forward rule would be handled - but i'm probably making it a little to overcomplicated
    Okay, post office is a good example.

    Let's say your linux server is just a router.
    A router serves as the gateway to other networks.
    Your router has a public interface (internet) and a private interface, your 192.168.x.x LAN.
    Your router has the public ip 200.1.1.1 and private IP 192.168.0.1.
    If a host on your LAN has IP 192.168.0.2, and wants to ping google.com, those packets aren't going through the 'input' chain of the router, they are going to be forwarded to that remote address over the interface 200.1.1.1.

    If you try to ping 192.168.0.1, the router, from a machine on the LAN, that would fall into the input chain.

  4. #14
    Linux Newbie nplusplus's Avatar
    Join Date
    Apr 2010
    Location
    Charlotte, NC, USA
    Posts
    106
    Quote Originally Posted by mizzle View Post
    Okay, post office is a good example.

    Let's say your linux server is just a router.
    A router serves as the gateway to other networks.
    Your router has a public interface (internet) and a private interface, your 192.168.x.x LAN.
    Your router has the public ip 200.1.1.1 and private IP 192.168.0.1.
    If a host on your LAN has IP 192.168.0.2, and wants to ping google.com, those packets aren't going through the 'input' chain of the router, they are going to be forwarded to that remote address over the interface 200.1.1.1.

    If you try to ping 192.168.0.1, the router, from a machine on the LAN, that would fall into the input chain.
    To emphasize some things implicit in Mizzle's description:

    1) Generally speaking, the destination outgoing interface of packets is determined by a host's routing table and has nothing to do with iptables.

    2) Whether a host may actually forward traffic between two interfaces as a router is determined by a system setting.

    3) If a system is configured to forward traffic, the iptables FORWARD chain determines which packets may actually get forwarded based on various attributes (source, destination, protocol, port, flags, etc.). In the absence of a specific attribute, that particular attribute is considered to match any possible value of the attribute.

    So, iptables does not do the forwarding, the routing function does the forwarding. Iptables just waits for packets to be routed to it and behaves per the defined rules.

    N

  5. #15
    Just Joined!
    Join Date
    Mar 2013
    Posts
    10
    your message remembered me that the gateway in the exercise is probably one with 3 network cards one for each network interface. Which makes it a little bit less complicating.

    I tend to analyze and put things in my own words to help my understand technical explications:
    so what you are actually saying is that when a device that is coupled to a certain eth0 [network interface] and wants to exit it (kinda bad word choice because i could imply the OUTPUT CHAIN here) the packet is forwarded to the network interface that is capable to do so

    so in this case an example would probably look like the (-i) interface kinda confuses me because (-o) would be more logically for imho

    iptables -A FORWARD -i (-o) eth0 (public interface 200.1.1.1) -s 192.168.0.2
    or in other words 192.168.0.2 can forward traffic through the public interface to the outside world

    this is probably very spoofable??

    --
    iptables -I FORWARD 1 -i eth0 -s 192.168.0.0/16 -o whatever -j DROP
    iptables -I FORWARD 2 -i eth0 -s 10.0.0.0/8 -o whatever -j DROP
    iptables -I FORWARD 3 -i eth1 -s ! 192.168.111.0/24 -j DROP
    iptables -I FORWARD 4 -i eth2 -s ! 10.0.0.0/8 -j DROP
    --

    so basically rule one are two are saying that traffic from the outside networking is requesting to go deeper inside the logical network but that doesn't really make sense since they are already inside (aka spoofed)

    rule tree and four are still a bit tricky

    i would say if i get a request from a device inside the 192.168.111.0 DMZ to go to a internal or b external (which is kinda unsafe) it's OK else well what are you doing here

    in the self thought process four would implies that a device from the internal network is actually from the internal
    network before it can sends packets to other network interfaces

    the funny part of it all it that i mostly understand all you theoretical explanations but can't map them to example just yet - well i hope i did a good job above ^^
    Last edited by Daemorog; 03-14-2013 at 01:10 AM.

  6. #16
    Linux Newbie nplusplus's Avatar
    Join Date
    Apr 2010
    Location
    Charlotte, NC, USA
    Posts
    106
    I think you are understanding it. Basically, rule 1 says if a packet is received on eth0 (your public interface), and the source is in 192.168.0.0/16, then it is being spoofed, so no matter where it is going, drop it. Same pretty much goes for rule 2, just with a different source network. Rules 3 and 4 say if a packet is received on my internal interfaces that is not from my internal address ranges, then it is being spoofed, so no matter where it is going, drop it.

    Rule 4 really should narrow the address range a bit since most people are not going to employ an entire /8 behind iptables. Also, rules 1 and 2 should be accompanied by a number of other anti-spoofing rules for addresses that should not appear on the Internet, not the least of which would be 172.16.0.0/15. If you are interested in other networks to drop, take a look here: http://www.rfc-editor.org/rfc/rfc5735.txt.

    N

  7. #17
    Just Joined!
    Join Date
    Mar 2007
    Location
    Melbourne, Australia
    Posts
    30
    Quote Originally Posted by Daemorog View Post
    so in this case an example would probably look like the (-i) interface kinda confuses me because (-o) would be more logically for imho
    In the old days of ipchains, the interface was always referenced by -i.

    But with iptables, -i means INPUT interface, and -o means OUTPUT interface. You can also think of it as follows:
    -i is for source (-s) based filtering, while
    -o is for destination (-d) based filtering
    NOTE: Although you can think of it as such, it is not always the case as you can mix -i with -d - ah yes, to some the power (and to others the bane) of iptables!

    Firewalls can be quite difficult to understand if you are a beginner and are not referencing a routing diagram or flow chart. My best iptables flow chart can be found here:
    IPTables Flow Chart Yukon Networks

    That chart helped me fully understand iptables routing in my early days of firewalling and I hope it helps you too!

    Cheers,
    ak.
    Last edited by tkb2766; 03-15-2013 at 06:26 AM. Reason: Elucidate further

  8. #18
    Just Joined!
    Join Date
    Mar 2013
    Posts
    10
    Thnx alot for all time you invested in answering my questions nplusplus (ton of kudos for you) and letting me come to the conclusion myself. In the begging i was quite confused coming from a windows server and cisco router background when the forward rule was invoked and how it was implemented.

    To make a little summary: forward is invoked when on interface wants to send traffic to another interface. And that the -i like it always have been should be implemented as incoming
    from the eth0 outside network that is actual devices somewhere on the internet for eth1 en eth2 that can be seen as devices that are coupled to these network interface devices of the DMZ and internal network accordantly.
    If there isn't a destination implied it can be seen to who ever is connected.

    I've been overthinking it all along, but that is easy said when you finally understand it.

    About the 127.0.01 etc i do know for security reason that there are some extra ip's that should be blocked eg. (10/8, 172.16/12, 192.168/16) (RFC 1918 )

    @tkb2766 thnx for the diagram kinda a bummer you have to login to actually download it though --> screenshot ftw . But i think it a little out of scope what i actually have to know till now but saved it anyway for further reference

    ----

    Lets get going on cracking #2 together
    Last edited by Daemorog; 03-15-2013 at 10:14 PM. Reason: edit - full message instead of quick reply

  9. #19
    Just Joined!
    Join Date
    Mar 2013
    Posts
    10
    forgot to give kudos to mizzle

Page 2 of 2 FirstFirst 1 2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •