iptables forwarding
-
robkalmeijer
- Posts: 35
- Joined: 2012/03/27 00:15:55
- Contact:
iptables forwarding
When making iptables do you need forwarding rules when you are running a server with one eth?
Re: iptables forwarding
Probably not.
As you are asking the question, almost certainly not.
As you are asking the question, almost certainly not.
-
robkalmeijer
- Posts: 35
- Joined: 2012/03/27 00:15:55
- Contact:
Re: iptables forwarding
Since lo and eth+ is declared the question is is there any forwarding between lo and eth?
My tables use accept policy and I want to change input and forward to drop and open only the ports I really need.
Output to accept should be ok.
My tables use accept policy and I want to change input and forward to drop and open only the ports I really need.
Output to accept should be ok.
Re: iptables forwarding
Running iptables -nvL will show you all rules in the default table with the byte and packet counters so you can see which rules have been used.
CentOS 6 died in November 2020 - migrate to a new version!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke
-
robkalmeijer
- Posts: 35
- Joined: 2012/03/27 00:15:55
- Contact:
Re: iptables forwarding
I used it after changing INPUT and FORWARD to DROP.
[root@server3 ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1710K 118M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 222 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
14974 1097K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
33604 1884K ACCEPT all -- eth+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 state NEW udp dpt:5353
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
Is this correct?
[root@server3 ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1710K 118M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 222 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
14974 1097K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
33604 1884K ACCEPT all -- eth+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 state NEW udp dpt:5353
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
Is this correct?
Re: iptables forwarding
Since you have no FORWARD chain and you've changed the default policy to DROP, nothing will get forwarded.
CentOS 6 died in November 2020 - migrate to a new version!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke
Re: iptables forwarding
No, unless you explicitly set it up. (Not sure whether that is at all possible.)robkalmeijer wrote: ↑2019/04/05 02:33:15Since lo and eth+ is declared the question is is there any forwarding between lo and eth?
If a process sends a packet to address X (and X is not the localhost), then the packet travels the OUTPUT chain and leaves from the eth0 to "outside".
If a packet arrives to eht0 (with address of eth0 as destination), then it travels the INPUT chain and then a process listening the destination port handles the packet.
A network packet enters the FORWARD netfilter chain only if it originates from "outside", is destined to "outside", and net.ipv4.ip_forward = 1.
The net.ipv4.ip_forward is 0 by default. You have had no reason to explicitly change that.
-
robkalmeijer
- Posts: 35
- Joined: 2012/03/27 00:15:55
- Contact:
Re: iptables forwarding
So dropping forwarding is ok.
I use it for a server with only eth0.
See: https://www.robkalmeijer.nl/techniek/co ... index.html
I use it for a server with only eth0.
See: https://www.robkalmeijer.nl/techniek/co ... index.html