HPE Community
Operating System - Linux
1825810 Members
2501 Online
109688 Solutions
New Discussion

when to use FORWARD chain ? -- plz help

 
SOLVED
Go to solution
Maaz
Valued Contributor

‎06-18-2005 06:46 AM

‎06-18-2005 06:46 AM

when to use FORWARD chain ? -- plz help

firewall server's external int ip: 192.1.1.254
firewall server's internal int ip: 10.0.0.255
local webservers ip: 10.1.1.1

on firewall box:
cat /etc/sysctl.conf
net.ipv4.ip_forward = 1

iptables -A INPUT -p tcp -d 192.1.1.254 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -d 192.1.1.254 -j DROP

iptables -t nat -A PREROUTING -i eth1 -p tcp -d 192.1.1.254 --dport 80 -j DNAT --to 10.1.1.1

where eth1 is external interface

Firewall server is doing fine, i.e firewall server forwards the http request to local webserver.


both the INPUT and OUTPUT chains are not used for traffic which is being routed b/w 2 network intfaces on our firewall, which is left for the FORWARD chain. FORWARD chain applies to packet which are sent to our machine, but are not actually for it


The above snippet is clear to me ... but i m not using FORWARD chain in my example/situation... and even every thing is working fine.. i.e my firewall server forwards every request on port 80 to my webserver.. and then forwards the reply back to the client

I wana know that when to use FORWARD chain ? In my scenario should i use FORWARD chain ? plz give me example to when and how to use FORWARD chain.

Regards
Maaz


0 Kudos
Reply
12 REPLIES 12
Stuart Browne
Honored Contributor

‎06-18-2005 07:56 AM

‎06-18-2005 07:56 AM

Re: when to use FORWARD chain ? -- plz help

The policy of your FORWARD chain is probablys et to 'ACCEPT' (it is by default), which is why it's all working happily.

Generally, it's used for DMZ's or for networks behind a Linux firewall.

You have machines on the internal network of which get NAT'd out the external interface, the packets need to be allowed through the FORWARD chain.

Simply put, INPUT is control over packets coming in to an interface. OUTPUT is control over packets going out of an interface. FORWARD is any packet passing from one interface to another.

i.e. in from eth1, out of eth0.

It doesn't matter that the destination is on the same machine, it's on a different interface.
One long-haired git at your service...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎06-18-2005 03:56 PM

‎06-18-2005 03:56 PM

Re: when to use FORWARD chain ? -- plz help

Forward is used to literally forward packets to some other location.

As Stuart states it can be from NIC to NIC on the same machine.

The following scenario is something I do so its somewhat realistic.

Port 3389 is the Microsoft Remote Client port. On my firewall boxes, I forward that port to a Microsoft Machine so the machine can be remote managed even though it actually sits behind a firewall.

1721 is VPN and its pretty common not to run VPN on the firewall, so you can forward that traffic to whateve machine you use as a VPN server.

You only need to use it when you have to, and the above scenarios are good examples of when you have to.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Maaz
Valued Contributor

‎06-18-2005 10:59 PM

‎06-18-2005 10:59 PM

Re: when to use FORWARD chain ? -- plz help

ok when to use FORWARD chain is clear to me. and i m sure that on my firewall box there must be a ACCEPT rule for FORWARD chain.

But as in my case is there any need to create a FORWARD chain, with the ACCEPT target explicitly ?

Ok, if i create rules like:
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
i mean is there any need to create these two rules ? although FORWARD is set to ACCEPT by default.

If i have created some INPUT/OUTPUT rules set to ACCEPT/REJECT/DROP, and some PREROUTING(DNAT), and POSTROUTING(SNAT/MASQUERADE) rules, then is there any need to create FORWARD chain(keeping in mind that FORWARD chain is set to ACCEPT by default) ?

I m sure u people will help me, as usuall ;)

Thanks n Regards
Maaz



0 Kudos
Reply
Stuart Browne
Honored Contributor

‎06-18-2005 11:09 PM

‎06-18-2005 11:09 PM

Solution

Re: when to use FORWARD chain ? -- plz help

If you aren't changing the policy of the forward chain, then there's no need to add specific rules:

[root@localhost ~]# iptables -nvL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

As the policy is ACCEPT, no further rules are needed. If you intend to change tha tin the future, then yes, add specific rules for your port 80 traffic, i.e.:

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -j ACCEPT

(and possibly:

iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -j ACCEPT

depending on how friendly the web server is with regards to binding to IP's/Interfaces).
One long-haired git at your service...
Reply
Maaz
Valued Contributor

‎06-19-2005 04:29 PM

‎06-19-2005 04:29 PM

Re: when to use FORWARD chain ? -- plz help

Thanx Dear Stuart ;)

Regards
Maaz
0 Kudos
Reply
kcpant
Trusted Contributor

‎06-20-2005 12:08 AM

‎06-20-2005 12:08 AM

Re: when to use FORWARD chain ? -- plz help

Hi Maaz,

when ever you want to explicitly control traffic through any chain of any table, you first have to change the policy of that chain from ACCEPT to DROP (or REJECT, if you want), ie:

iptables -P FORWARD DROP

and than define the traffic you want to allow, like ,

iptables -A FORWARD -i eth1 -p tcp -o eth0 -J ACCEPT

and so on.
regards,
PreSales Specialist
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎06-20-2005 12:19 AM

‎06-20-2005 12:19 AM

Re: when to use FORWARD chain ? -- plz help

DROP doesn't let the client know its been ignored. Its useful for stealth mode.

ACCEPT is neccessary on the forward and other chains just to accept or in this case pass/forward the packet.

REJECT lets the client know its been dissed and can sometimes lead the hackers to go elsewhere.

Through long and painful experience I have learned that the default settings for all iptables firewalls should be INPUT DROP OUTPUT DROP and FORWARD DROP.

That alone will save you a lot of grief.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Maaz
Valued Contributor

‎06-20-2005 07:13 AM

‎06-20-2005 07:13 AM

Re: when to use FORWARD chain ? -- plz help

Thanx kcpant, and SEP.

kcpant is it
iptables -P FORWARD DROP
or
iptables -P FORWARD -j DROP

and one more thing u used '-P' instead '-A' or '-I', so whats -P for ? I mean whats -P does ?

Thanks n Regards
Maaz
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎06-20-2005 10:06 AM

‎06-20-2005 10:06 AM

Re: when to use FORWARD chain ? -- plz help

iptables [-t table] -P chain target [options]

Thats from the man page.

A chain target allows you to set up a keyword or shortname for a particular, linked set of rules. Just a device to help you out.

The DROP command must be accompanied by the -j

iptables -j DROP

Same for ACCEPT and REJECT

The -j is mandatory in my experience.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
kcpant
Trusted Contributor

‎06-20-2005 04:23 PM

‎06-20-2005 04:23 PM

Re: when to use FORWARD chain ? -- plz help

Hi Maaz,

When you are going to define a policy for a chain, you don't have to use target (-j) keyword, instead, you have to use:
iptables -P

This "-P" switch defines that it is a policy option, and it is applicable to the whole chain.

(SEP, you are very senior to us, but, as I know, -j switch is not used in defining policies, only -P is used. please guide us if I'm incorrect)
PreSales Specialist
Reply
Maaz
Valued Contributor

‎06-21-2005 05:07 PM

‎06-21-2005 05:07 PM

Re: when to use FORWARD chain ? -- plz help

nice explanation dear kcpant ;) thanx

Thanx All
Regards
Maaz
0 Kudos
Reply
Alexander Samad
Frequent Advisor

‎06-22-2005 11:39 AM

‎06-22-2005 11:39 AM

Re: when to use FORWARD chain ? -- plz help

Hi

On a side note, I presume you have more to your firewall than the 2 lines on eth1, because if I send a packet destined for the internal 10/8 network your firewall is going to let it through! because your default FORWARD is ACCEPT

Alex
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.