Checking the Forwarding Rules
The forwarding rules apply to packets passing or being routed through the machine. Forwarded packets are inspected only by the rules defined for the forward chain. These packets are not inspected against rules on the input or 0utput chains. If the packet's destination address is something other than the address of the interface on which the packet arrived, the packet is inspected by the FORWARD chain. If the packet matches a FORWARD acceptance rule, the packet is sent out the appropriate interface, after being inspected by any rules defined for the Postrouting chains.
For the purposes of illustration, the firewall rule pair shown next forwards all TCP connections from the internal network. UDP traffic is not routed. Related ICMP traffic is routed:
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $LAN_INTERFACE -o $EXTERNAL_INTERFACE -p tcp \ -s $INTERNAL_LAN_ADDRESSES -m state —state NEW -j ACCEPT
This section is based on a representative sample of forwarding rules. The INPUT and OUTPUT rules are mostly ACCEPT rules when the default policy is DROP. Everything is denied, by default, and you explicitly define what will be accepted:
> iptables -v -L FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target destination 67 6050 ACCEPT anywhere 0 0 ACCEPT
host1.private.lan prot opt in out source all -- any any anywhere \
state RELATED,ESTABLISHED tcp -- ethl eth0 selected.remote.host \
tcp spts:102 4:65535 dpt:ssh N
flags:SYN,RST,ACK/SYN state NEW
10 11 12
mailserver.dmz.lan multiport dports smtp,pop3 tcp spts:1024:65535 \ flags:SYN,RST,ACK/SYN state NEW 1 60 ACCEPT tcp — eth0 eth1 .private.lan \
web-proxy.dmz.lan multiport dports http,https tcp spts : 1024 : 65535 \ flags:SYN,RST,ACK/SYN state NEW 1 60 ACCEPT tcp — eth0 eth1 .private.lan \
anywhere tcp spts:1024:65535 dpts:ssh \
flags:SYN,RST,ACK/SYN state NEW 0 0 ACCEPT tcp — eth0 eth1 .private.lan \
news-server.net tcp spts:102 4:6553 5 dpt:nntp \
flags:SYN,RST,ACK/SYN state NEW 0 0 REJECT tcp -- eth1 any anywhere \
.private.lan tcp spts:102 4:65535 dpt:auth \
reject-with icmp-port-unreachable 0 0 ACCEPT icmp -- any any anywhere \
icmp fragmentation-needed icmp -- eth0 eth1 .private.lan \
icmp echo-request tcp -- any any anywhere \
tcp flags:FIN,ACK/FIN,ACK
tcp flags:RST/RST
LOG level warning anywhere 2 168 ACCEPT anywhere 0 0 ACCEPT
anywhere 0 0 ACCEPT
anywhere 0 0 LOG
anywhere
The default policy for the FORWARD chain is DROP. Denied packets are simply dropped without any notification being returned to either the local or the remote program. There are 12 rules on the chain:
Line 1 Any packet recognized as being part of a previously ESTABLISHED connection or exchange, or a packet that is RELATED to one, is allowed in either direction.
Line 2 Incoming SSH connections from a particular remote host to host1 in the private LAN are allowed. Line 3 Outgoing client connections to the mail gateway and pop server in the DMZ are allowed. Line 4 Outgoing client connections, both HTTP and HTTPS, are allowed to the web proxy in the DMZ. Line 5 Outgoing client connections to remote SSH servers anywhere are allowed. Line 6 Outgoing client connections to a specific remote news server are allowed. Line 7 Incoming auth requests to local identd servers are rejected.
Line 8 ICMP Type 3 fragmentation-needed messages are allowed in both directions as part of MTU size discovery.
Line 9 Outgoing ping ICMP echo-requests are allowed to anywhere. Line 10 fin/ack packets are accepted in either direction. Line 11 TCP RST packets are accepted in either direction.
Line 12 All other packets in either direction are logged before being dropped by the default policy.
In this case, the -v option is generally helpful to see the incoming and outgoing network interface names. eth0 is the internal interface to the .private.ian network. etHi is the external interface to the .dmz.ian and the Internet beyond. Remember that FORWARD rules are necessary with or without NAT. Also remember that any NAT rules are defined in the nat table. These rules are defined in the default filter table.
4 PREV
NEXT t
PREV NEXT
Post a comment