On 08/06/2009 01:35 AM, Rony Bill wrote:
Hello,
I have to setup a firewall box for someone ASAP and I was going through the tutorials at
http://forums.debian.net/viewtopic.php?t=16166
I just have a small query as I am confused with the directions of packets. When setting a rule for the INPUT table, there is a source and destination setting. From the examples given in the above tutorial, when an incoming packet is received, the source is a local IP and destination is the world. Shouldn´t the incoming packet´s source be the world and destination the local LAN IP address? Could the experts please clarify? Otherwise it seems quite easy to setup.
I assume you meant the examples such as these in the guide: iptables -A INPUT -p tcp --dport 22 -s 192.168.0.3 -j ACCEPT
Firstly the terminology in the guide appears to be incorrect. The guide refers to INPUT, OUTPUT and FORWARD as 'table'. These are in fact termed as 'chains' within the 'filter' table (which is the default table for modification when -t is not provided. There are other tables like 'nat', 'mangle' ..etc)
Think of tables as a grouping of 'what' you want to do with the packets (filter, nat, mangle) and chains as 'when' you want to do it (INPUT, OUTPUT, FOWRARD for filter, PREROUTING, POSTROUTING for nat ...etc)
So as far as the filter table is concerned, in this context, there isn't any difference between your 'home' network and the 'world' network. The rule will just be matched against the networks mentioned in the rules. Think about it a bit. Your rules might even mention a src/dest addresses on networks that none of your interfaces are even part of.
Mentioning an action in the INPUT chain simply means that the packet would be examined when received and filtered accordingly.
HTH, regards, - steve