[arch-general] iptables forward policy
Damjan
gdamjan at gmail.com
Sat Aug 25 13:56:29 EDT 2012
On 25.08.2012 18:47, Juan Diego Tascón wrote:
> Good day,
>
> I'm currently configuring a router. I'm setting the default policies
> to DROP in the INPUT OUTPUT AND FORWARD chains. I'm thinking of
> setting the default FORWARD policy to ACCEPT as my default INPUT
> policy is DROP and unless there is a valid FORWARD rule for a given
> port the packets wont go anywhere. I'm I right on this? or could
> someone deliberately setup a packet to be forwarded from my router to
> my lan? all I could find on google was one similar question with no
> answer :(
FORWARD and INPUT are completely different.
INPUT is for packets that are in the end are destined for the host (i.e.
routed to the host).
FORWARD is for packets, that are only forwarded by the host, the packets
will not go through the INPUT chain.
In a normal routed network this depends on the destination IP of the
packet, but if you DNAT the packets in the PREROUTING chain of the nat
table the destination IP will change.
--
дамјан
More information about the arch-general
mailing list