Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
RE: [suse-security] Newbie Question re. Firewall2 vs. IPTABLES (fwd)
  • From: keith@xxxxxxxxxxxxxxxxxxxxxxxx
  • Date: Thu, 24 Jul 2003 12:54:13 +0000 (GMT)
  • Message-id: <Pine.LNX.4.44.0307241241170.871-100000@xxxxxxxxxxx>

Hi Knuth!

I have just checked the Packet Filtering HOWTO.

According to the HOWTO, packets destined for the local
machine go through the INPUT chain, and any other packets
not for localhost get sent to the FORWARD chain.

So you could receive bad packets sent directly to the
FORWARD chain!

If you are going to do IP FORWARDING then you will NEED to
filter the packets that you are passing along to others.

Just removing the -j block will pass UNFILTERED packets to
others, even though the INPUT CHAIN is being filtered!!!

As I don't use the FORWARD chain, then blocking it is
fine for me.

You may need to make a seperate chain with rules that will
filter the FORWARD chain, and use that.

eg. FORWARD -j my_fwd_filter

Regards - Keith

---------- Forwarded message ----------
To: Knut Erik Hauslo <KNUTH@xxxxxxxxxxxx>
From: keith@xxxxxxxxxxxxxxxxxxxxxxxx
Subject: RE: [suse-security] Newbie Question re. Firewall2 vs. IPTABLES


I've just noticed the -j block on the FORWARD chain.

You might need to remove this to enable packets to pass
through the FORWARD chain...

let me know if this works.


On Thu, 24 Jul 2003, Knut Erik Hauslo wrote:

> Keith gave me a very simple example on how to create simple iptable configuration. I adopted most of it - leaving out the logs and denying ICMP on eth1 - and this is how it looks now:

-- snip --

> iptables -A INPUT -j open_port_80
> iptables -A INPUT -j block
> iptables -A FORWARD -j block <-- THIS MAY BE YOUR PROBLEM
> *** End

> However, no packets are ever reaching it's destination on the internal network. How come? My external network is on eth1 and my internal is on eth0. IP Forwarding (YaST, Network Services, Routing) is not enabled. If I do enable IP Forwarding, any packets will go trough the firewall, and eh, that's not what i expected ;-)
> >From sources that i have found, the way of a packet is described like this:
> - if a packet is destined for local host, it will be redirected to the input chain
> - if a packet is not destined for local host, it will be redirected to the forward chain (forwarding needs to be enabled in the kernel - but where - and there must be a routing table in place. Routing table is ok, but since I am a newbie, i do not know where to change this forwarding setting if it is not the setting mentioned above?!?!? :-S (confused smiley)
> Any hints are deeply appreciated!

< Previous Next >
This Thread