Help - Search - Members - Calendar
Full Version: Newbie Iptable Source, Destination Confusion
Linuxhelp > Support > Technical Support
dtrader
I am using IPtables for my floppy router. I am getting lost on the direction a packet is moving through the router with the source -s and destination -d filter. Is the source the originating machine of the packet or is the source were the packet wants to go? The same goes for destination, which machine or interface, and what side of the interface is the destination the destination of? Also, if I use -i for input, is the packet coming into the interface from the cable or the PCI slot (example to simplify and express my confusion)?

The following is my router configuration:

# this machine (router):
# ___
# | |
# internet<---->eth0-+ +-eth1<---->DMZ
# | +-eth2<---->Private
# |___|
#
#
# eth0=66.134.1.1
# eth1=66.134.1.2
# eth2=192.168.1.1
#
# Other hosts:
# mail.mybusiness.com 66.134.1.3
# www.mybusiness.org 66.134.1.4
# phantom.mybusiness.org 66.134.1.5 (SNAT'd)

Example of what i've done to make things work:

# To forward packets to and from private and dmz untouched
$IPT -A FORWARD -j ACCEPT -s 192.168.1.0/24 -d 66.134.1.0/29 -i eth2 -o eth1
$IPT -A FORWARD -j ACCEPT -d 192.168.1.0/24 -s 66.134.1.0/29 -o eth2 -i eth1

FTP does not work for people from outside (Internet) of my network example:

# ftp, ssl and ssh service for www.alcyontechnologies.org
$IPT -A FORWARD -j ACCEPT -p tcp -d 66.134.1.4 --dport 20 -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED
$IPT -A FORWARD -j ACCEPT -p tcp -s 66.134.1.4 --sport 20 -i eth1 -o eth0 -m state --state NEW,ESTABLISHED
$IPT -A FORWARD -j ACCEPT -p tcp -d 66.134.1.4 --dport 21 -i eth0 -o eth1 -m state --state NEW,ESTABLISHED
$IPT -A FORWARD -j ACCEPT -p tcp -s 66.134.1.4 --sport 21 -i eth1 -o eth0 -m state --state ESTABLISHED

About 80% of script works its the fine details that are driving me crazy!
I have totally confused myself with all that i have read.
hughesjr
The source and destination depends on the packet .... for example, if you open a web browser on a PC inside your firewall (let's say it is 192.168.1.10) and try to open the homepage www.linuxhelp.ca. Your machine will do an name lookup on www.linuxhelp.ca (the ip is 216.187.106.215).

The packet (since it is initated on your machine) will have a source IP of 192.168.1.10 ... a source port randomly picked (the next open port of your machine that is not in use above 1024)....let's just assume 3005 as the port. This packet will have a destination IP address of 216.187.106.215 and a destination port of 80 (which is the http port).


I would touch eth2 first, got to eth0 and to the site.
--------------------------------
Is http from off site working?

Your rules for FTP look OK to me .... try taking out the -m state --state items from the FTP rules to see if that works ... if so it will give you a place start for trouble shooting.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.