Netfilter clarification
in [Linux Networking]
|
Prev: Firewall setup
Next: switch chip driver
From: snorble on 22 Jun 2010 17:41 My question is how a packet generated from a process running on the local machine is handled. See below for my confusion. Does it go to the INPUT or the OUTPUT chain? From this website: http://security.maruhn.com/howto/packet-filtering-HOWTO-6.html I read this: "...a program running on the box can send network packets. These packets pass through the OUTPUT chain immediately: if it says ACCEPT, then the packet continues out to whatever interface it is destined for." However, on the same page, it gives this example which seems to contradict the above statement (since it uses the INPUT chain). "# iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP # ping -c 1 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes --- 127.0.0.1 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss"
From: Lew Pitcher on 22 Jun 2010 18:00 On June 22, 2010 17:41, in comp.os.linux.networking, snorble(a)hotmail.com wrote: > My question is how a packet generated from a process running on the > local machine is handled. See below for my confusion. Does it go to > the INPUT or the OUTPUT chain? > > From this website: > http://security.maruhn.com/howto/packet-filtering-HOWTO-6.html > > I read this: > > "...a program running on the box can send network packets. These > packets pass through the OUTPUT chain immediately: if it says ACCEPT, > then the packet continues out to whatever interface it is destined > for." > > However, on the same page, it gives this example which seems to > contradict the above statement (since it uses the INPUT chain). > > "# iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP > # ping -c 1 127.0.0.1 > PING 127.0.0.1 (127.0.0.1): 56 data bytes > > --- 127.0.0.1 ping statistics --- > 1 packets transmitted, 0 packets received, 100% packet loss" It /may/ go to both the OUTPUT /and/ INPUT chain... Consider, in the above example, what has happened... A local process has sent a packet through the OUTPUT chain to an interface. Since the interface is a local one, the packet is routed /back/ into the system through the INPUT chain. And, there, the INPUT rule (from above) catches and disposes of it. To mirror the ascii-art on the page you quoted.... ,---> 127.0.0.1 ---, | | __|__ __v__ / \ / \ (OUTPUT) ( INPUT ) \_____/ \_____/ ^ v | | Local Process ----' '-----> Local Process See? -- Lew Pitcher Master Codewright & JOAT-in-training | Registered Linux User #112576 Me: http://pitcher.digitalfreehold.ca/ | Just Linux: http://justlinux.ca/ ---------- Slackware - Because I know what I'm doing. ------
From: Lew Pitcher on 22 Jun 2010 18:05 On June 22, 2010 17:41, in comp.os.linux.networking, snorble(a)hotmail.com wrote: > My question is how a packet generated from a process running on the > local machine is handled. See below for my confusion. Does it go to > the INPUT or the OUTPUT chain? > > From this website: > http://security.maruhn.com/howto/packet-filtering-HOWTO-6.html [snip] FWIW, you might want to take a look at http://slackworld.berlios.de/04/essence-1.html I originally drew the diagram to help guide me in writing IPTABLES rules. In this case, Case "C" seems to cover your quandry. -- Lew Pitcher Master Codewright & JOAT-in-training | Registered Linux User #112576 Me: http://pitcher.digitalfreehold.ca/ | Just Linux: http://justlinux.ca/ ---------- Slackware - Because I know what I'm doing. ------
From: Pascal Hambourg on 22 Jun 2010 18:58 Hello, Lew Pitcher a �crit : > > FWIW, you might want to take a look at > http://slackworld.berlios.de/04/essence-1.html AFAIK, - in scenario C there is no routing decision ("X"), it would be pointless as the packet is for local delivery ; - scenario D cannot happen ; scenario B applies instead.
From: snorble on 22 Jun 2010 22:42
On Jun 22, 5:00 pm, Lew Pitcher <lpitc...(a)teksavvy.com> wrote: > On June 22, 2010 17:41, in comp.os.linux.networking, snor...(a)hotmail.com > wrote: > > > My question is how a packet generated from a process running on the > > local machine is handled. See below for my confusion. Does it go to > > the INPUT or the OUTPUT chain? > > > From this website: > >http://security.maruhn.com/howto/packet-filtering-HOWTO-6.html > > > I read this: > > > "...a program running on the box can send network packets. These > > packets pass through the OUTPUT chain immediately: if it says ACCEPT, > > then the packet continues out to whatever interface it is destined > > for." > > > However, on the same page, it gives this example which seems to > > contradict the above statement (since it uses the INPUT chain). > > > "# iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP > > # ping -c 1 127.0.0.1 > > PING 127.0.0.1 (127.0.0.1): 56 data bytes > > > --- 127.0.0.1 ping statistics --- > > 1 packets transmitted, 0 packets received, 100% packet loss" > > It /may/ go to both the OUTPUT /and/ INPUT chain... > > Consider, in the above example, what has happened... > > A local process has sent a packet through the OUTPUT chain to an interface. > Since the interface is a local one, the packet is routed /back/ into the > system through the INPUT chain. And, there, the INPUT rule (from above) > catches and disposes of it. > > To mirror the ascii-art on the page you quoted.... > > ,---> 127.0.0.1 ---, > | | > __|__ __v__ > / \ / \ > (OUTPUT) ( INPUT ) > \_____/ \_____/ > ^ v > | | > Local Process ----' '-----> Local Process > > See? Ah, so the confusion is because 127.0.0.1 was used, and there's more going on behind the scenes. Perhaps using 127.0.0.1 is not a good choice for an introductory instructional example. |