@ -33,7 +33,7 @@ Then the packet starts to go through a series of steps in the kernel, before it
|1| | | On the wire (e.g., Internet)
|2| | | Comes in on the interface (e.g., eth0)
|3| raw| PREROUTING| This chain is used to handle packets before the connection tracking takes place. It can be used to set a specific connection not to be handled by the connection tracking code for example.
|4| | | This is when the connection tracking code takes place as discussed in the The state machine chapter.
|4| | | This is when the connection tracking code takes place
|5| mangle| PREROUTING| This chain is normally used for mangling packets, i.e., changing TOS and so on.
|6| nat| PREROUTING| This chain is used for DNAT mainly. Avoid filtering in this chain since it will be bypassed in certain cases.
|7| | | Routing decision, i.e., is the packet destined for our local host or to be forwarded and where.
@ -51,7 +51,7 @@ Then the packet starts to go through a series of steps in the kernel, before it
|1| | | Local process/application (i.e., server/client program)
|2| | | Routing decision. What source address to use, what outgoing interface to use, and other necessary information that needs to be gathered.
|3| raw| OUTPUT| This is where you do work before the connection tracking has taken place for locally generated packets. You can mark connections so that they will not be tracked for example.
|4| | | This is where the connection tracking takes place for locally generated packets, for example state changes et cetera. This is discussed in more detail in the The state machine chapter.
|4| | | This is where the connection tracking takes place for locally generated packets, for example state changes et cetera.
|5| mangle| OUTPUT| This is where we mangle packets, it is suggested that you do not filter in this chain since it can have side effects.
|6| nat| OUTPUT| This chain can be used to NAT outgoing packets from the firewall itself.
|7| | | Routing decision, since the previous mangle and nat changes may have changed how the packet should be routed.
@ -74,7 +74,7 @@ In this example, we're assuming that the packet is destined for another host on
|1| | | On the wire (i.e., Internet)
|2| | | Comes in on the interface (i.e., eth0)
|3| raw| PREROUTING| Here you can set a connection to not be handled by the connection tracking system.
|4| | | This is where the non-locally generated connection tracking takes place, and is also discussed more in detail in the The state machine chapter.
|4| | | This is where the non-locally generated connection tracking takes place.
|5| mangle| PREROUTING| This chain is normally used for mangling packets, i.e., changing TOS and so on.
|6| nat| PREROUTING| This chain is used for DNAT mainly. SNAT is done further on. Avoid filtering in this chain since it will be bypassed in certain cases.
|7| | | Routing decision, i.e., is the packet destined for our local host or to be forwarded and where.
@ -87,28 +87,9 @@ In this example, we're assuming that the packet is destined for another host on
|===
[appendix]
== How to use iptables
Shorewall is not the easiest to use of the available iptables configuration tools but I believe that it is the most flexible and powerful.
It can handle complex and fast changing network environments.
It needs multiple configuration files, even for simple setups.
Suitable for powerusers! - Most likely there are a lot of these among our Students :-)