0

I'm using a linux box as a router:

The Box has 2 public ips and local ip, i'm using natting to allow local users to access the web.

When a local user access the web, source natting happens here, the packets going through the public interface are they checked through the OUTPUT chain or through the Forward chain ?

The same Question for the returned packets of the already established session are they check via the INPUT or forward chain ?

One last thing: Consider me as a local user the packets will go like this

PC ---> LinuxBox Local Interface ---> Linux Box Public interface ----> External world.

When the packets come back:

External Word ---->Public interface ----> Local interface ----->PC

If i want to apply a rule on the packet when they move from the local interface to the PC, should i use the FORWARD chain or the OUTPUT chain ?

What do you think ??

MohyedeenN
  • 1,063
  • 1
  • 12
  • 15

3 Answers3

4

Any packets going through the router is handled in the FORWARD chain. They will NEVER touch INPUT or OUTPUT.

Any packets that originate from the router itself will be handled by OUTPUT. Never FORWARD.

Any packets destined to an address that is assigned to one of the routers interfaces, will be handled by INPUT chain. Never FORWARD.

The only (kind-of) exception to the INPUT/OUTPUT never being handled by INPUT is if you apply any Destination NAT (as opposed to Source NAT) rules, in which case the destination of a packet originally destined for an address on one of the routers interfaces could be changed to something that is not, in which case it does go to FORWARD because the packet is no longer destined for an address on the local machine.

fukawi2
  • 5,396
  • 3
  • 32
  • 51
1

packets going from your land to the public network are handled in the forward chain. same thing for packets going the other way round. input are for packets for which final destination is the router itself (and are not batted), where ever they come from. and output is for packet originating from the router itself and going to the outside world (be it can or wan)

I don't understand your last question but keep in mind you can (and should) configure iptables to be stateful so you don't have to worry about packets from established session, only initial packet.

alxgomz
  • 1,630
  • 1
  • 11
  • 14
  • i have updated last question please check – MohyedeenN Jan 08 '14 at 07:32
  • This is a forwarded packet as well hence has to be treated in the forward chain. But as I told you iptables should be stateful so if you want to act on a packet that comes back from the wan make sure your rule comes before any "--state RELATED,ESTABLISHED -j ACCEPT" rule. Though I am not sure why you would need that. – alxgomz Jan 08 '14 at 08:34
0

input:
internet -> router <- my_comp

output:
internet <- router -> my_comp



forward:
internet <- router <- my_comp

internet -> router -> my_comp

Oleh
  • 1
  • 1