Page 1 of 1

iptables forwarding

Posted: 2019/04/05 01:45:46
by robkalmeijer
When making iptables do you need forwarding rules when you are running a server with one eth?

Re: iptables forwarding

Posted: 2019/04/05 02:17:37
by Whoever
Probably not.

As you are asking the question, almost certainly not.

Re: iptables forwarding

Posted: 2019/04/05 02:33:15
by robkalmeijer
Since lo and eth+ is declared the question is is there any forwarding between lo and eth?

My tables use accept policy and I want to change input and forward to drop and open only the ports I really need.

Output to accept should be ok.

Re: iptables forwarding

Posted: 2019/04/05 16:55:56
by TrevorH
Running iptables -nvL will show you all rules in the default table with the byte and packet counters so you can see which rules have been used.

Re: iptables forwarding

Posted: 2019/04/06 16:38:38
by robkalmeijer
I used it after changing INPUT and FORWARD to DROP.

[root@server3 ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1710K 118M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 222 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
14974 1097K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
33604 1884K ACCEPT all -- eth+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 state NEW udp dpt:5353
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80


Is this correct?

Re: iptables forwarding

Posted: 2019/04/06 16:52:33
by TrevorH
Since you have no FORWARD chain and you've changed the default policy to DROP, nothing will get forwarded.

Re: iptables forwarding

Posted: 2019/04/08 12:28:30
by jlehtone
robkalmeijer wrote:
2019/04/05 02:33:15
Since lo and eth+ is declared the question is is there any forwarding between lo and eth?
No, unless you explicitly set it up. (Not sure whether that is at all possible.)


If a process sends a packet to address X (and X is not the localhost), then the packet travels the OUTPUT chain and leaves from the eth0 to "outside".

If a packet arrives to eht0 (with address of eth0 as destination), then it travels the INPUT chain and then a process listening the destination port handles the packet.

A network packet enters the FORWARD netfilter chain only if it originates from "outside", is destined to "outside", and net.ipv4.ip_forward = 1.

The net.ipv4.ip_forward is 0 by default. You have had no reason to explicitly change that.

Re: iptables forwarding

Posted: 2019/04/10 22:16:41
by robkalmeijer
So dropping forwarding is ok.

I use it for a server with only eth0.

See: https://www.robkalmeijer.nl/techniek/co ... index.html