topic Re: when to use FORWARD chain ? -- plz help in Operating System - Linux

when to use FORWARD chain ? -- plz help

Maaz — Sat, 18 Jun 2005 13:46:28 GMT

firewall server's external int ip: 192.1.1.254
firewall server's internal int ip: 10.0.0.255
local webservers ip: 10.1.1.1

on firewall box:
cat /etc/sysctl.conf
net.ipv4.ip_forward = 1

iptables -A INPUT -p tcp -d 192.1.1.254 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -d 192.1.1.254 -j DROP

iptables -t nat -A PREROUTING -i eth1 -p tcp -d 192.1.1.254 --dport 80 -j DNAT --to 10.1.1.1

where eth1 is external interface

Firewall server is doing fine, i.e firewall server forwards the http request to local webserver.

both the INPUT and OUTPUT chains are not used for traffic which is being routed b/w 2 network intfaces on our firewall, which is left for the FORWARD chain. FORWARD chain applies to packet which are sent to our machine, but are not actually for it

The above snippet is clear to me ... but i m not using FORWARD chain in my example/situation... and even every thing is working fine.. i.e my firewall server forwards every request on port 80 to my webserver.. and then forwards the reply back to the client

I wana know that when to use FORWARD chain ? In my scenario should i use FORWARD chain ? plz give me example to when and how to use FORWARD chain.

Regards
Maaz

Re: when to use FORWARD chain ? -- plz help

Stuart Browne — Sat, 18 Jun 2005 14:56:05 GMT

The policy of your FORWARD chain is probablys et to 'ACCEPT' (it is by default), which is why it's all working happily.

Generally, it's used for DMZ's or for networks behind a Linux firewall.

You have machines on the internal network of which get NAT'd out the external interface, the packets need to be allowed through the FORWARD chain.

Simply put, INPUT is control over packets coming in to an interface. OUTPUT is control over packets going out of an interface. FORWARD is any packet passing from one interface to another.

i.e. in from eth1, out of eth0.

It doesn't matter that the destination is on the same machine, it's on a different interface.

Re: when to use FORWARD chain ? -- plz help

Steven E. Protter — Sat, 18 Jun 2005 22:56:13 GMT

Forward is used to literally forward packets to some other location.

As Stuart states it can be from NIC to NIC on the same machine.

The following scenario is something I do so its somewhat realistic.

Port 3389 is the Microsoft Remote Client port. On my firewall boxes, I forward that port to a Microsoft Machine so the machine can be remote managed even though it actually sits behind a firewall.

1721 is VPN and its pretty common not to run VPN on the firewall, so you can forward that traffic to whateve machine you use as a VPN server.

You only need to use it when you have to, and the above scenarios are good examples of when you have to.

SEP

Re: when to use FORWARD chain ? -- plz help

Maaz — Sun, 19 Jun 2005 05:59:37 GMT

ok when to use FORWARD chain is clear to me. and i m sure that on my firewall box there must be a ACCEPT rule for FORWARD chain.

But as in my case is there any need to create a FORWARD chain, with the ACCEPT target explicitly ?

Ok, if i create rules like:
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
i mean is there any need to create these two rules ? although FORWARD is set to ACCEPT by default.

If i have created some INPUT/OUTPUT rules set to ACCEPT/REJECT/DROP, and some PREROUTING(DNAT), and POSTROUTING(SNAT/MASQUERADE) rules, then is there any need to create FORWARD chain(keeping in mind that FORWARD chain is set to ACCEPT by default) ?

I m sure u people will help me, as usuall ;)

Thanks n Regards
Maaz

Re: when to use FORWARD chain ? -- plz help

Stuart Browne — Sun, 19 Jun 2005 06:09:30 GMT

If you aren't changing the policy of the forward chain, then there's no need to add specific rules:

[root@localhost ~]# iptables -nvL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

As the policy is ACCEPT, no further rules are needed. If you intend to change tha tin the future, then yes, add specific rules for your port 80 traffic, i.e.:

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -j ACCEPT

(and possibly:

iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -j ACCEPT

depending on how friendly the web server is with regards to binding to IP's/Interfaces).

Re: when to use FORWARD chain ? -- plz help

Maaz — Sun, 19 Jun 2005 23:29:57 GMT

Thanx Dear Stuart ;)

Regards
Maaz

Re: when to use FORWARD chain ? -- plz help

kcpant — Mon, 20 Jun 2005 07:08:41 GMT

Hi Maaz,

when ever you want to explicitly control traffic through any chain of any table, you first have to change the policy of that chain from ACCEPT to DROP (or REJECT, if you want), ie:

iptables -P FORWARD DROP

and than define the traffic you want to allow, like ,

iptables -A FORWARD -i eth1 -p tcp -o eth0 -J ACCEPT

and so on.
regards,

Re: when to use FORWARD chain ? -- plz help

Steven E. Protter — Mon, 20 Jun 2005 07:19:13 GMT

DROP doesn't let the client know its been ignored. Its useful for stealth mode.

ACCEPT is neccessary on the forward and other chains just to accept or in this case pass/forward the packet.

REJECT lets the client know its been dissed and can sometimes lead the hackers to go elsewhere.

Through long and painful experience I have learned that the default settings for all iptables firewalls should be INPUT DROP OUTPUT DROP and FORWARD DROP.

That alone will save you a lot of grief.

SEP

Re: when to use FORWARD chain ? -- plz help

Maaz — Mon, 20 Jun 2005 14:13:22 GMT

Thanx kcpant, and SEP.

kcpant is it
iptables -P FORWARD DROP
or
iptables -P FORWARD -j DROP

and one more thing u used '-P' instead '-A' or '-I', so whats -P for ? I mean whats -P does ?

Thanks n Regards
Maaz

Re: when to use FORWARD chain ? -- plz help

Steven E. Protter — Mon, 20 Jun 2005 17:06:53 GMT

iptables [-t table] -P chain target [options]

Thats from the man page.

A chain target allows you to set up a keyword or shortname for a particular, linked set of rules. Just a device to help you out.

The DROP command must be accompanied by the -j

iptables -j DROP

Same for ACCEPT and REJECT

The -j is mandatory in my experience.

SEP

Re: when to use FORWARD chain ? -- plz help

kcpant — Mon, 20 Jun 2005 23:23:19 GMT

Hi Maaz,

When you are going to define a policy for a chain, you don't have to use target (-j) keyword, instead, you have to use:
iptables -P

This "-P" switch defines that it is a policy option, and it is applicable to the whole chain.

(SEP, you are very senior to us, but, as I know, -j switch is not used in defining policies, only -P is used. please guide us if I'm incorrect)

Re: when to use FORWARD chain ? -- plz help

Maaz — Wed, 22 Jun 2005 00:07:53 GMT

nice explanation dear kcpant ;) thanx

Thanx All
Regards
Maaz

Re: when to use FORWARD chain ? -- plz help

Alexander Samad — Wed, 22 Jun 2005 18:39:30 GMT

Hi

On a side note, I presume you have more to your firewall than the 2 lines on eth1, because if I send a packet destined for the internal 10/8 network your firewall is going to let it through! because your default FORWARD is ACCEPT

Alex