Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

iptables FORWARD and INPUT

Tags:

linux

input

iptables

forwarding

People also ask

What is input output and forward in iptables?

INPUT: packets coming from the network and going to your server. OUTPUT: packets originating from your server and going to the network. FORWARD: packets forwarded by your server, if/when it acts as a router between different networks.

What is the difference between the chain input output and forward?

The INPUT chain is used for any packet coming into the system. The OUTPUT chain is for any packet leaving the system. And the FORWARD chain is for packets that are forwarded (routed) through the system. The screenshot below shows how to list the filter table and all its rules.

How do I enable iptables forwarding?

To allow ESTABLISHED and RELATED traffic between your public and private interfaces, run the following commands. First for your public interface: sudo iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT.

What is iptables port forwarding?

Port forwarding on iptables is done with something called a Destination NAT. This will tell the incoming packs, depending on the conditions implied, to route through a different port or address. For this, we will need to do this through iptables' NAT PREROUTING chain.

RedHat has a great doc about iptables (a little bit long), but the subject to cover is complex and there are so many different use cases that I don't see how to avoid it.

iptables kernel routing

Here is the chapter about FORWARD and NAT Rules. As it states:

For example, if you want to forward incoming HTTP requests to your dedicated Apache HTTP Server at 172.31.0.23, use the following command as the root user:

~]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.0.23:80

Here is what happens:

  • your linux gateway receives a packet from your router. The packet header has:
    • source: x.x.x.x:y (sender IP from the internet & source port used for packet transmission)
    • destination: 192.168.1.1:80 (assuming your linux gateway IP on external NIC, ie p1p1)
  • your linux gateway applies the PREROUTING chain to find a match. Assuming that you have typed what's above, the packet matches the rule and then calls (jumps -j) to the DNAT function (Destination Network Address Translation) which changes the destination of the packet header from the initial 192.168.1.1:80 to 172.31.0.23:80.
  • then, the packet arrives to the Routing Decision. The packet destination is now 172.31.0.23:80.
    • Your linux gateway asks itself: Is it for me (192.168.1.1:80) ? No, so I won't send it to the INPUT chain.
    • => I'll send it to the FORWARD chain.
  • since you have set the rules to FORWARD all on your local network (table filter chain FORWARD), the packet should be forwarded correctly to your local Apache HTTP Server (for example).

Hope it'll help to understand a little bit more how internal routing works with iptables.


INPUT, FORWARD, and OUTPUT are separate. A packet will only hit one of the three chains.

If the destination is to this server, it hits the INPUT chain. If its source is from this server, it hits OUTPUT. If its source and destination are both other machines—it's being routed through the server—then it hits the FORWARD chain.

Related questions

How to recover after deleting the symbolic link libc.so.6?
Difference between eng and user-debug build in Android
Replacing a running executable in linux
Checking if process still running?
How do I install JSLint on Ubuntu? [closed]
How to execute python file in linux
How to download python from command-line? [closed]
Getting n-th line of text output
trace a particular IP and port
Determine the OS version, Linux and Windows from Powershell
Understanding load average vs. cpu usage [closed]
RVM Warning! PATH is not properly set up
Vim configuration for Linux kernel development [closed]
Installing Apache on Windows Subsystem for Linux
Struct timeval to printable format
Memory usage of current process in C
Linux command 'll' is not working
How can I check a file exists and execute a command if not?
How to extract only the raw contents of an ELF section?
Unable to update Git on Ubuntu

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!