Help - Search - Members - Calendar
Full Version: Newbie Iptable Source, Destination Confusion
Linuxhelp > Support > Technical Support
I am using IPtables for my floppy router. I am getting lost on the direction a packet is moving through the router with the source -s and destination -d filter. Is the source the originating machine of the packet or is the source were the packet wants to go? The same goes for destination, which machine or interface, and what side of the interface is the destination the destination of? Also, if I use -i for input, is the packet coming into the interface from the cable or the PCI slot (example to simplify and express my confusion)?

The following is my router configuration:

# this machine (router):
# ___
# | |
# internet<---->eth0-+ +-eth1<---->DMZ
# | +-eth2<---->Private
# |___|
# eth0=
# eth1=
# eth2=
# Other hosts:
# (SNAT'd)

Example of what i've done to make things work:

# To forward packets to and from private and dmz untouched
$IPT -A FORWARD -j ACCEPT -s -d -i eth2 -o eth1
$IPT -A FORWARD -j ACCEPT -d -s -o eth2 -i eth1

FTP does not work for people from outside (Internet) of my network example:

# ftp, ssl and ssh service for
$IPT -A FORWARD -j ACCEPT -p tcp -d --dport 20 -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED
$IPT -A FORWARD -j ACCEPT -p tcp -s --sport 20 -i eth1 -o eth0 -m state --state NEW,ESTABLISHED
$IPT -A FORWARD -j ACCEPT -p tcp -d --dport 21 -i eth0 -o eth1 -m state --state NEW,ESTABLISHED
$IPT -A FORWARD -j ACCEPT -p tcp -s --sport 21 -i eth1 -o eth0 -m state --state ESTABLISHED

About 80% of script works its the fine details that are driving me crazy!
I have totally confused myself with all that i have read.
The source and destination depends on the packet .... for example, if you open a web browser on a PC inside your firewall (let's say it is and try to open the homepage Your machine will do an name lookup on (the ip is

The packet (since it is initated on your machine) will have a source IP of ... a source port randomly picked (the next open port of your machine that is not in use above 1024)....let's just assume 3005 as the port. This packet will have a destination IP address of and a destination port of 80 (which is the http port).

I would touch eth2 first, got to eth0 and to the site.
Is http from off site working?

Your rules for FTP look OK to me .... try taking out the -m state --state items from the FTP rules to see if that works ... if so it will give you a place start for trouble shooting.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2018 Invision Power Services, Inc.