Re: Question. on iptables concept

From: Lew Pitcher (lpitcher@sympatico.ca)
Date: 04/11/03


From: Lew Pitcher <lpitcher@sympatico.ca>
Date: Thu, 10 Apr 2003 22:36:48 -0400

Lew Pitcher wrote:
[snip]
> I'll see if I can dig up and ASCII-art my diagrams, along with some of
> my notes. Further replies may be delayed by a day or so, because these
> notes are at home, and I'm using a leafnode server on a once-a-day feed
> there.
>

OK, I dug up my IPTABLES notes (from when I installed my firewalling and NAT
rules on /my/ home LAN's server), and ASCII-art'ed my diagrams. They're wide,
so be aware that you'll have to scroll left/right to read them.

Basic IP Tables flows

                                  routing decision
                                 '
                                '
            +------------+ ? +---------+
   Input--->| PREROUTING |-->?R?---------->| FORWARD |-
Interface +------------+ ? +---------+ \
                              | \ +-------------+ Output
                              | >-->| POSTROUTING |-->Interface
                              V :l: / +-------------+
                          +-------+ :o: +--------+ /
                          | INPUT |-->:c:-->| OUTPUT |-
                          +-------+ :a: +--------+
                                      :l:
                                        '
                                         '
                                          local process (input or output socket)

The following diagrams show the flow of IP packets through the IP Tables filters for
five different scenarios.

Scenario A is where a process local to the IP Tables box is the target for packets
coming in through a network interface. For example: your web server on your router
receiving HTTP GET transactions.

Scenario B is where a process local to the IP Tables box is the source for packets
leaving through a network interface. For example, your web server on your router
sending HTML web pages.

Scenario C is where a process local to the IP Tables box is the source for packets
traversing a network interface (like the loopback interface) to reach another local
process (i.e. X client app to X server via localhost:0)

Scenario D is a rare scenario where a process local to the IP tables box is the source
for packets traversing a network interface (like the loopback) to reach a target on
another system. In this case, the local process has explicitly bound itself to the
intemediary interface (i.e. bind(2) to a socket on 127.0.0.1) but the target address
of the IP packet is on another network. A rare condition, indeed.

Scenario E is the typical router scenario, where the IP packets enter through one
interface, and are routed to another interface in order to reach their destination.
In this case, the example would be a router with public IP addresses on both sides
(say, a corporate router between the corporate LAN and the internet).

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

A: Incoming packets for a local process
                                                                                       :l:
                                                    +------------+ ? +-------+ :o:
                                        interface-->| PREROUTING |-->?R?-->| INPUT |-->:c:
                                                    +------------+ ? +-------+ :a:
                                                                                       :l:

B: Local process sending packets out

   :l:
   :o: +--------+ +-------------+
   :c:-->| OUTPUT |-->| POSTROUTING |-->interface
   :a: +--------+ +-------------+
   :l:

C: Local process sending packets through interface (i.e. loopback) to another local process

   :l: :l:
   :o: +--------+ +-------------+ +------------+ ? +-------+ :o:
   :c:-->| OUTPUT |-->| POSTROUTING |-->interface-->| PREROUTING |-->?R?-->| INPUT |-->:c:
   :a: +--------+ +-------------+ +------------+ ? +-------+ :a:
   :l: :l:

D: Local process sending packets through interface (i.e. loopback) to an outside destination

   :l:
   :o: +--------+ +-------------+ +------------+ ? +---------+ +-------------+ Output
   :c:-->| OUTPUT |-->| POSTROUTING |-->interface-->| PREROUTING |-->?R?-->| FORWARD |-->| POSTROUTING |-->Interface
   :a: +--------+ +-------------+ +------------+ ? +---------+ +-------------+
   :l:

E:Incoming packets being forwarded to an outside destination

                                                    +------------+ ? +---------+ +-------------+ Output
                                        interface-->| PREROUTING |-->?R?-->| FORWARD |-->| POSTROUTING |-->Interface
                                                    +------------+ ? +---------+ +-------------+

-- 
Lew Pitcher
Master Codewright and JOAT-in-training
Registered Linux User #112576 (http://counter.li.org/)
Slackware - Because I know what I'm doing.


Relevant Pages

  • Re: Question. on iptables concept
    ... And how are packets send to the address of my own ethernet ... Similar to the lo interface? ... > Scenario D is a rare scenario where a process local to the IP tables box is the source ... forwarding is enabled? ...
    (comp.os.linux.security)
  • Terminal Server Setup
    ... description GRE Tunnel Source Interface ... input packets with dribble condition detected ... output buffer failures, ... Serial1/0 is up, line protocol is up ...
    (comp.dcom.sys.cisco)
  • Re: Tuning ADSL lines on Ciscos roputer - LONG -
    ... Last clearing of "show interface" counters never ... minute input rate 0 bits/sec, ... input packets with dribble condition detected ... output buffer failures, ...
    (comp.dcom.sys.cisco)
  • Re: Terminal Server Setup
    ... description GRE Tunnel Source Interface ... input packets with dribble condition detected ... output buffer failures, ...
    (comp.dcom.sys.cisco)
  • Re: Excessive interface resets on Cisco 1841 and FIOS line
    ... huge amount of interface resets on the WAN interface, ... access-list 4 remark HTTP Access-class list ... input packets with dribble condition detected ... output buffer failures, ...
    (comp.dcom.sys.cisco)