iptables forwarding

Issues related to configuring your network
Post Reply
robkalmeijer
Posts: 19
Joined: 2012/03/27 00:15:55
Contact:

iptables forwarding

Post by robkalmeijer » 2019/04/05 01:45:46

When making iptables do you need forwarding rules when you are running a server with one eth?

Whoever
Posts: 1074
Joined: 2013/09/06 03:12:10

Re: iptables forwarding

Post by Whoever » 2019/04/05 02:17:37

Probably not.

As you are asking the question, almost certainly not.

robkalmeijer
Posts: 19
Joined: 2012/03/27 00:15:55
Contact:

Re: iptables forwarding

Post by robkalmeijer » 2019/04/05 02:33:15

Since lo and eth+ is declared the question is is there any forwarding between lo and eth?

My tables use accept policy and I want to change input and forward to drop and open only the ports I really need.

Output to accept should be ok.

User avatar
TrevorH
Forum Moderator
Posts: 26515
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables forwarding

Post by TrevorH » 2019/04/05 16:55:56

Running iptables -nvL will show you all rules in the default table with the byte and packet counters so you can see which rules have been used.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

robkalmeijer
Posts: 19
Joined: 2012/03/27 00:15:55
Contact:

Re: iptables forwarding

Post by robkalmeijer » 2019/04/06 16:38:38

I used it after changing INPUT and FORWARD to DROP.

[root@server3 ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1710K 118M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 222 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
14974 1097K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
33604 1884K ACCEPT all -- eth+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 state NEW udp dpt:5353
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80


Is this correct?

User avatar
TrevorH
Forum Moderator
Posts: 26515
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables forwarding

Post by TrevorH » 2019/04/06 16:52:33

Since you have no FORWARD chain and you've changed the default policy to DROP, nothing will get forwarded.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
jlehtone
Posts: 2293
Joined: 2007/12/11 08:17:33
Location: Finland

Re: iptables forwarding

Post by jlehtone » 2019/04/08 12:28:30

robkalmeijer wrote:
2019/04/05 02:33:15
Since lo and eth+ is declared the question is is there any forwarding between lo and eth?
No, unless you explicitly set it up. (Not sure whether that is at all possible.)


If a process sends a packet to address X (and X is not the localhost), then the packet travels the OUTPUT chain and leaves from the eth0 to "outside".

If a packet arrives to eht0 (with address of eth0 as destination), then it travels the INPUT chain and then a process listening the destination port handles the packet.

A network packet enters the FORWARD netfilter chain only if it originates from "outside", is destined to "outside", and net.ipv4.ip_forward = 1.

The net.ipv4.ip_forward is 0 by default. You have had no reason to explicitly change that.

robkalmeijer
Posts: 19
Joined: 2012/03/27 00:15:55
Contact:

Re: iptables forwarding

Post by robkalmeijer » 2019/04/10 22:16:41

So dropping forwarding is ok.

I use it for a server with only eth0.

See: https://www.robkalmeijer.nl/techniek/co ... index.html

Post Reply

Return to “CentOS 6 - Networking Support”