iptables script - Security
This is a discussion on iptables script - Security ; hi,
i am new in iptables,
when writing a iptables script..
we put rules in the INPUT or FORWARD or POSTROUTING..
so which one is best..
please advice....
-
iptables script
hi,
i am new in iptables,
when writing a iptables script..
we put rules in the INPUT or FORWARD or POSTROUTING..
so which one is best..
please advice.
-
Re: iptables script
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
kenz wrote:
> hi,
> i am new in iptables,
> when writing a iptables script..
> we put rules in the INPUT or FORWARD or POSTROUTING..
> so which one is best..
"best" for what?
- --
Lew Pitcher, IT Specialist, Corporate Technology Solutions,
Enterprise Technology Solutions, TD Bank Financial Group
(Opinions expressed here are my own, not my employer's)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEHrWcagVFX4UWr64RAi9XAJ9J24H8JeugLJDFyIjYSR us8ijiFgCePeyH
Fo+zVS7GNN9KxyQl1kGv4l8=
=Igrd
-----END PGP SIGNATURE-----
-
Re: iptables script
Each one has different functionalities. First you need to know the
usage and depends on ur usage you can choose them.
INPUT, FORWARD, POSTROUTING, PREROUTING.... all these are filters.
INPUT will filter the incoming packets,
FORWARD will filter the packets that are being forwarded.
POSTROUTING will filter the packets on POST route.
.....
For more information take a look at
http://www.siliconvalleyccie.com/lin...bles-intro.htm
-
Re: iptables script
i bit confuse on INPUT and FORWARD..
it for filter the incoming packets..
does it mean it filtering the incoming packet from external network and
LAN ??
tq
-
Re: iptables script
INPUT will filter the packets from external IP/network which ever is
configured. It can be either from the same netwrok or from different
network.
-
Re: iptables script
so u mean where
iptables -A INPUT -i $LAN_ETH ....... or
iptables -A INPUT -s $LAN_IPRANGE ......
is filtering the incoming packet from Local Network
and
iptables -A INPUT -i $EXT_ETH.......
is filtering the incoming packet from internet
-
-
Re: iptables script
"kenz" (06-03-20 21:53:39):
> i bit confuse on INPUT and FORWARD..
> it for filter the incoming packets..
INPUT is the chain for packets dedicated to the host, on which the
netfilter is running. Anything else will be handled by FORWARD. This
means, if a packet arrives, which wasn't dedicated to your host, then
it's processed by the FORWARD chain, before it's routed to the actual
target. After the final IP address is found (after NAT probably), the
POSTROUTING chain comes into play. This is effectively the last stage
for packets, which need to be forwarded.
> does it mean it filtering the incoming packet from external network and
> LAN ??
Linux doesn't differentiate between 'LAN' and 'internet' for example.
It receives packets and then decides what to do. This decision is based
on the source and destination addresses of those packets, and the
interface where it arrives (e.g. ppp0 or eth0). By default, there is no
special treatment for the source data (address, interface).
If your host has the IP address 192.168.0.4 and a packet with the
destination address 192.168.0.5 arrives, then this packet is handled by
FORWARD instead of INPUT.
Regards.
