Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Newbie Iptable Source, Destination Confusion, IPtable confusion-packet direct -s or -d
dtrader
post Jan 14 2004, 08:00 PM
Post #1


Whats this Lie-nix Thing?
*

Group: Members
Posts: 1
Joined: 14-January 04
Member No.: 2,144



I am using IPtables for my floppy router. I am getting lost on the direction a packet is moving through the router with the source -s and destination -d filter. Is the source the originating machine of the packet or is the source were the packet wants to go? The same goes for destination, which machine or interface, and what side of the interface is the destination the destination of? Also, if I use -i for input, is the packet coming into the interface from the cable or the PCI slot (example to simplify and express my confusion)?

The following is my router configuration:

# this machine (router):
# ___
# | |
# internet<---->eth0-+ +-eth1<---->DMZ
# | +-eth2<---->Private
# |___|
#
#
# eth0=66.134.1.1
# eth1=66.134.1.2
# eth2=192.168.1.1
#
# Other hosts:
# mail.mybusiness.com 66.134.1.3
# www.mybusiness.org 66.134.1.4
# phantom.mybusiness.org 66.134.1.5 (SNAT'd)

Example of what i've done to make things work:

# To forward packets to and from private and dmz untouched
$IPT -A FORWARD -j ACCEPT -s 192.168.1.0/24 -d 66.134.1.0/29 -i eth2 -o eth1
$IPT -A FORWARD -j ACCEPT -d 192.168.1.0/24 -s 66.134.1.0/29 -o eth2 -i eth1

FTP does not work for people from outside (Internet) of my network example:

# ftp, ssl and ssh service for www.alcyontechnologies.org
$IPT -A FORWARD -j ACCEPT -p tcp -d 66.134.1.4 --dport 20 -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED
$IPT -A FORWARD -j ACCEPT -p tcp -s 66.134.1.4 --sport 20 -i eth1 -o eth0 -m state --state NEW,ESTABLISHED
$IPT -A FORWARD -j ACCEPT -p tcp -d 66.134.1.4 --dport 21 -i eth0 -o eth1 -m state --state NEW,ESTABLISHED
$IPT -A FORWARD -j ACCEPT -p tcp -s 66.134.1.4 --sport 21 -i eth1 -o eth0 -m state --state ESTABLISHED

About 80% of script works its the fine details that are driving me crazy!
I have totally confused myself with all that i have read.
Go to the top of the page
 
+Quote Post
hughesjr
post Jan 16 2004, 07:46 AM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



The source and destination depends on the packet .... for example, if you open a web browser on a PC inside your firewall (let's say it is 192.168.1.10) and try to open the homepage www.linuxhelp.ca. Your machine will do an name lookup on www.linuxhelp.ca (the ip is 216.187.106.215).

The packet (since it is initated on your machine) will have a source IP of 192.168.1.10 ... a source port randomly picked (the next open port of your machine that is not in use above 1024)....let's just assume 3005 as the port. This packet will have a destination IP address of 216.187.106.215 and a destination port of 80 (which is the http port).


I would touch eth2 first, got to eth0 and to the site.
--------------------------------
Is http from off site working?

Your rules for FTP look OK to me .... try taking out the -m state --state items from the FTP rules to see if that works ... if so it will give you a place start for trouble shooting.


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 12th December 2017 - 03:01 PM