iptables script - Security

This is a discussion on iptables script - Security ; hi, i am new in iptables, when writing a iptables script.. we put rules in the INPUT or FORWARD or POSTROUTING.. so which one is best.. please advice....

+ Reply to Thread
Results 1 to 8 of 8

Thread: iptables script

  1. iptables script

    hi,
    i am new in iptables,
    when writing a iptables script..
    we put rules in the INPUT or FORWARD or POSTROUTING..
    so which one is best..

    please advice.


  2. Re: iptables script

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    kenz wrote:
    > hi,
    > i am new in iptables,
    > when writing a iptables script..
    > we put rules in the INPUT or FORWARD or POSTROUTING..
    > so which one is best..


    "best" for what?


    - --

    Lew Pitcher, IT Specialist, Corporate Technology Solutions,
    Enterprise Technology Solutions, TD Bank Financial Group

    (Opinions expressed here are my own, not my employer's)
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2.2 (MingW32)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFEHrWcagVFX4UWr64RAi9XAJ9J24H8JeugLJDFyIjYSR us8ijiFgCePeyH
    Fo+zVS7GNN9KxyQl1kGv4l8=
    =Igrd
    -----END PGP SIGNATURE-----

  3. Re: iptables script

    Each one has different functionalities. First you need to know the
    usage and depends on ur usage you can choose them.

    INPUT, FORWARD, POSTROUTING, PREROUTING.... all these are filters.

    INPUT will filter the incoming packets,
    FORWARD will filter the packets that are being forwarded.
    POSTROUTING will filter the packets on POST route.
    .....

    For more information take a look at
    http://www.siliconvalleyccie.com/lin...bles-intro.htm


  4. Re: iptables script

    i bit confuse on INPUT and FORWARD..
    it for filter the incoming packets..
    does it mean it filtering the incoming packet from external network and
    LAN ??

    tq


  5. Re: iptables script

    INPUT will filter the packets from external IP/network which ever is
    configured. It can be either from the same netwrok or from different
    network.


  6. Re: iptables script

    so u mean where
    iptables -A INPUT -i $LAN_ETH ....... or
    iptables -A INPUT -s $LAN_IPRANGE ......
    is filtering the incoming packet from Local Network

    and
    iptables -A INPUT -i $EXT_ETH.......
    is filtering the incoming packet from internet


  7. Re: iptables script

    probably yes.


  8. Re: iptables script

    "kenz" (06-03-20 21:53:39):

    > i bit confuse on INPUT and FORWARD..
    > it for filter the incoming packets..


    INPUT is the chain for packets dedicated to the host, on which the
    netfilter is running. Anything else will be handled by FORWARD. This
    means, if a packet arrives, which wasn't dedicated to your host, then
    it's processed by the FORWARD chain, before it's routed to the actual
    target. After the final IP address is found (after NAT probably), the
    POSTROUTING chain comes into play. This is effectively the last stage
    for packets, which need to be forwarded.


    > does it mean it filtering the incoming packet from external network and
    > LAN ??


    Linux doesn't differentiate between 'LAN' and 'internet' for example.
    It receives packets and then decides what to do. This decision is based
    on the source and destination addresses of those packets, and the
    interface where it arrives (e.g. ppp0 or eth0). By default, there is no
    special treatment for the source data (address, interface).

    If your host has the IP address 192.168.0.4 and a packet with the
    destination address 192.168.0.5 arrives, then this packet is handled by
    FORWARD instead of INPUT.


    Regards.

+ Reply to Thread