iptables forwarding

robkalmeijer · Post by **robkalmeijer** » 2019/04/05 01:45:46

When making iptables do you need forwarding rules when you are running a server with one eth?

Whoever · Post by **Whoever** » 2019/04/05 02:17:37

Probably not.

As you are asking the question, almost certainly not.

robkalmeijer · Post by **robkalmeijer** » 2019/04/05 02:33:15

Since lo and eth+ is declared the question is is there any forwarding between lo and eth?

My tables use accept policy and I want to change input and forward to drop and open only the ports I really need.

Output to accept should be ok.

Post by **TrevorH** » 2019/04/05 16:55:56

Running iptables -nvL will show you all rules in the default table with the byte and packet counters so you can see which rules have been used.

robkalmeijer · Post by **robkalmeijer** » 2019/04/06 16:38:38

I used it after changing INPUT and FORWARD to DROP.

[root@server3 ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1710K 118M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 222 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
14974 1097K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
33604 1884K ACCEPT all -- eth+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 state NEW udp dpt:5353
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80

Is this correct?

Post by **TrevorH** » 2019/04/06 16:52:33

Since you have no FORWARD chain and you've changed the default policy to DROP, nothing will get forwarded.

jlehtone · Post by **jlehtone** » 2019/04/08 12:28:30

robkalmeijer wrote: ↑
2019/04/05 02:33:15
Since lo and eth+ is declared the question is is there any forwarding between lo and eth?

No, unless you explicitly set it up. (Not sure whether that is at all possible.)

If a process sends a packet to address X (and X is not the localhost), then the packet travels the OUTPUT chain and leaves from the eth0 to "outside".

If a packet arrives to eht0 (with address of eth0 as destination), then it travels the INPUT chain and then a process listening the destination port handles the packet.

A network packet enters the FORWARD netfilter chain only if it originates from "outside", is destined to "outside", and net.ipv4.ip_forward = 1.

The net.ipv4.ip_forward is 0 by default. You have had no reason to explicitly change that.

robkalmeijer · Post by **robkalmeijer** » 2019/04/10 22:16:41

So dropping forwarding is ok.

I use it for a server with only eth0.

See: https://www.robkalmeijer.nl/techniek/co ... index.html

CentOS

iptables forwarding

iptables forwarding

Re: iptables forwarding

Re: iptables forwarding

Re: iptables forwarding

Re: iptables forwarding

Re: iptables forwarding

Re: iptables forwarding

Re: iptables forwarding