iptables forwarding

Issues related to configuring your network
Post Reply
robkalmeijer
Posts: 37
Joined: 2012/03/27 00:15:55
Contact:

iptables forwarding

Post by robkalmeijer » 2019/04/05 01:45:46

When making iptables do you need forwarding rules when you are running a server with one eth?

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: iptables forwarding

Post by Whoever » 2019/04/05 02:17:37

Probably not.

As you are asking the question, almost certainly not.

robkalmeijer
Posts: 37
Joined: 2012/03/27 00:15:55
Contact:

Re: iptables forwarding

Post by robkalmeijer » 2019/04/05 02:33:15

Since lo and eth+ is declared the question is is there any forwarding between lo and eth?

My tables use accept policy and I want to change input and forward to drop and open only the ports I really need.

Output to accept should be ok.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables forwarding

Post by TrevorH » 2019/04/05 16:55:56

Running iptables -nvL will show you all rules in the default table with the byte and packet counters so you can see which rules have been used.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

robkalmeijer
Posts: 37
Joined: 2012/03/27 00:15:55
Contact:

Re: iptables forwarding

Post by robkalmeijer » 2019/04/06 16:38:38

I used it after changing INPUT and FORWARD to DROP.

[root@server3 ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1710K 118M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 222 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
14974 1097K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
33604 1884K ACCEPT all -- eth+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 state NEW udp dpt:5353
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80


Is this correct?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables forwarding

Post by TrevorH » 2019/04/06 16:52:33

Since you have no FORWARD chain and you've changed the default policy to DROP, nothing will get forwarded.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: iptables forwarding

Post by jlehtone » 2019/04/08 12:28:30

robkalmeijer wrote:
2019/04/05 02:33:15
Since lo and eth+ is declared the question is is there any forwarding between lo and eth?
No, unless you explicitly set it up. (Not sure whether that is at all possible.)


If a process sends a packet to address X (and X is not the localhost), then the packet travels the OUTPUT chain and leaves from the eth0 to "outside".

If a packet arrives to eht0 (with address of eth0 as destination), then it travels the INPUT chain and then a process listening the destination port handles the packet.

A network packet enters the FORWARD netfilter chain only if it originates from "outside", is destined to "outside", and net.ipv4.ip_forward = 1.

The net.ipv4.ip_forward is 0 by default. You have had no reason to explicitly change that.

robkalmeijer
Posts: 37
Joined: 2012/03/27 00:15:55
Contact:

Re: iptables forwarding

Post by robkalmeijer » 2019/04/10 22:16:41

So dropping forwarding is ok.

I use it for a server with only eth0.

See: https://www.robkalmeijer.nl/techniek/co ... index.html

Post Reply