slacker_x
08-07-2001, 01:00 PM
I am learning about iptables and NAT right now. Please tell me if the following is accurate:
Scenario 1:
- A client on the Internet tries to connect to the ssh server on the firewall.
[PREROUTING]- Nothing happens since the ssh server is on the firewall and not on another computer in the LAN.
[INPUT]- Input rules are checked to see if the connection is allowed. yes, it's allowed.
[OUTPUT]- The firewall replies to the connection attempt providing that the rules in the output chain allow for it.
[POSTROUTING]- Nothing happens again since the reply is coming from the firewall.
- Connection will be allowed...
Scenario 2:
- A client on the Internet tries to connect to the telnet server running on a server behind the firewall.
[PREROUTING]- Since this port is forwarded to a computer other than the firewall, the destination IP is changed and the connection is tracked.
[FORWARD]- If the packet matches the rules in the FORWARD chain, it is allowed to continue on to its destination within the LAN.
[FORWARD]- Telnet server sends reply back out to client if allowed to by rules in FORWARD chain.
[POSTROUTING]- Source IP is rewritten so that the packet appears to originate from the firewall.
- Connection will be allowed...
Scenario 3:
- A client in my LAN directs his browser to http://linuxnewbie.org on tcp port 80 (this sends out a packet with a source port >= 1024 correct?)
[FORWARD]- If external http requests are allowed, packet proceeds.
[POSTROUTING]- Source IP is rewritten to the firewall's IP. Connection is tracked.
- web server replies with packet with destination port >= 1024 (same as above?) and source port of 80.
[PREROUTING]- Since the connection has been tracked, the destination ip is known and rewritten accoringly.
[FORWARD]- If incoming tcp packets are allowed on that port, the packet will continue to the client.
- Client receives data from web server...
Diagram based on my understanding of iptables and NAT:
general flow is in a clockwise direction starting at the top left.
{prer} means the PREROUTING chain
{post} means the POSTROUTING chain
{forw} means the FORWARD chain
{inpu} means the INPUT chain
{outp} means the OUTPUT chain
>--------{forw}-------->[ ]>-->[LAN ]
| [eth1] [Clie]
[Inte]>-->[ ]>-->{prer}>-->{inpu}>-->[ FW ] [ ]<--<[nts ]
[rnet] [eth0] [ ] |
[ ]<--<[ ]<--<{post}<--<{outp}<--<[Apps] |
| |
<--------{forw}-------------<
Scenario 1:
- A client on the Internet tries to connect to the ssh server on the firewall.
[PREROUTING]- Nothing happens since the ssh server is on the firewall and not on another computer in the LAN.
[INPUT]- Input rules are checked to see if the connection is allowed. yes, it's allowed.
[OUTPUT]- The firewall replies to the connection attempt providing that the rules in the output chain allow for it.
[POSTROUTING]- Nothing happens again since the reply is coming from the firewall.
- Connection will be allowed...
Scenario 2:
- A client on the Internet tries to connect to the telnet server running on a server behind the firewall.
[PREROUTING]- Since this port is forwarded to a computer other than the firewall, the destination IP is changed and the connection is tracked.
[FORWARD]- If the packet matches the rules in the FORWARD chain, it is allowed to continue on to its destination within the LAN.
[FORWARD]- Telnet server sends reply back out to client if allowed to by rules in FORWARD chain.
[POSTROUTING]- Source IP is rewritten so that the packet appears to originate from the firewall.
- Connection will be allowed...
Scenario 3:
- A client in my LAN directs his browser to http://linuxnewbie.org on tcp port 80 (this sends out a packet with a source port >= 1024 correct?)
[FORWARD]- If external http requests are allowed, packet proceeds.
[POSTROUTING]- Source IP is rewritten to the firewall's IP. Connection is tracked.
- web server replies with packet with destination port >= 1024 (same as above?) and source port of 80.
[PREROUTING]- Since the connection has been tracked, the destination ip is known and rewritten accoringly.
[FORWARD]- If incoming tcp packets are allowed on that port, the packet will continue to the client.
- Client receives data from web server...
Diagram based on my understanding of iptables and NAT:
general flow is in a clockwise direction starting at the top left.
{prer} means the PREROUTING chain
{post} means the POSTROUTING chain
{forw} means the FORWARD chain
{inpu} means the INPUT chain
{outp} means the OUTPUT chain
>--------{forw}-------->[ ]>-->[LAN ]
| [eth1] [Clie]
[Inte]>-->[ ]>-->{prer}>-->{inpu}>-->[ FW ] [ ]<--<[nts ]
[rnet] [eth0] [ ] |
[ ]<--<[ ]<--<{post}<--<{outp}<--<[Apps] |
| |
<--------{forw}-------------<