mdevin <[EMAIL PROTECTED]> writes: [snip firewall overview] > > how come packets still seem to get dropped when being forwarded between > > interfaces? > > I am not sure I have totall gotten what you are trying to do here. But, > the packets will be dropped instead of being forwarded between interfaces > because that is exactly what you have specified in your rules. > > What happens is this: > 1. A packet comes in through one of your interfaces. > 2. It hits the PREROUTING chain - where DNAT can occur or any tracked > connections are de-SNATted or de-MASQUERADED. > 3. Routing decision is made. Here is where the decision is made whether > the packet is destined for localhost or to go out another interface. > 4a. If the packet is destined for localhost then it traverses the INPUT > chain. > 4b. If the packet is for another host then it traverses the FORWARD > chain.
Righty. That's much as I expected. > Thus what your rules will do is: > Any packet not destined for localhost will traverse the FORWARD chain > and will be -j (jumpped) to your block (user defined) chain. This will > presumably LOG and the DROP the packets. Thus all your FORWARDED > packets will be DROPPED. Ultimately, I want input & forward to be drop-by-default. However, the `block' chain is meant to be good for both input & forward scenarios; it has rules for stateful filtering and `open' things, then a drop & log. If I put in a rule matching -i and/or -o as appropriate, it still doesn't seem to work. Maybe I've done something wrong (and I don't really want to post ork's firewall in any more detail). > This is of course only if you don't have other rules in your FORWARD > chain which explicitly ACCEPT the packets before they hit the FORWARD > chain rule you have written above. What about if I kick *all* packets from forward onto `block', though? That's the bit I'm not wholly happy about. ~Tim -- A spark of life |[EMAIL PROTECTED] On a wire from heaven |http://spodzone.org.uk/
