Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

iptables FORWARD and INPUT

People also ask

What is input output and forward in iptables?

INPUT: packets coming from the network and going to your server. OUTPUT: packets originating from your server and going to the network. FORWARD: packets forwarded by your server, if/when it acts as a router between different networks.

What is the difference between the chain input output and forward?

The INPUT chain is used for any packet coming into the system. The OUTPUT chain is for any packet leaving the system. And the FORWARD chain is for packets that are forwarded (routed) through the system. The screenshot below shows how to list the filter table and all its rules.

How do I enable iptables forwarding?

To allow ESTABLISHED and RELATED traffic between your public and private interfaces, run the following commands. First for your public interface: sudo iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT.

What is iptables port forwarding?

Port forwarding on iptables is done with something called a Destination NAT. This will tell the incoming packs, depending on the conditions implied, to route through a different port or address. For this, we will need to do this through iptables' NAT PREROUTING chain.


RedHat has a great doc about iptables (a little bit long), but the subject to cover is complex and there are so many different use cases that I don't see how to avoid it.

iptables kernel routing

Here is the chapter about FORWARD and NAT Rules. As it states:

For example, if you want to forward incoming HTTP requests to your dedicated Apache HTTP Server at 172.31.0.23, use the following command as the root user:

~]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.0.23:80

Here is what happens:

  • your linux gateway receives a packet from your router. The packet header has:
    • source: x.x.x.x:y (sender IP from the internet & source port used for packet transmission)
    • destination: 192.168.1.1:80 (assuming your linux gateway IP on external NIC, ie p1p1)
  • your linux gateway applies the PREROUTING chain to find a match. Assuming that you have typed what's above, the packet matches the rule and then calls (jumps -j) to the DNAT function (Destination Network Address Translation) which changes the destination of the packet header from the initial 192.168.1.1:80 to 172.31.0.23:80.
  • then, the packet arrives to the Routing Decision. The packet destination is now 172.31.0.23:80.
    • Your linux gateway asks itself: Is it for me (192.168.1.1:80) ? No, so I won't send it to the INPUT chain.
    • => I'll send it to the FORWARD chain.
  • since you have set the rules to FORWARD all on your local network (table filter chain FORWARD), the packet should be forwarded correctly to your local Apache HTTP Server (for example).

Hope it'll help to understand a little bit more how internal routing works with iptables.


INPUT, FORWARD, and OUTPUT are separate. A packet will only hit one of the three chains.

If the destination is to this server, it hits the INPUT chain. If its source is from this server, it hits OUTPUT. If its source and destination are both other machines—it's being routed through the server—then it hits the FORWARD chain.