CITS3002 Computer Networks  
prev
next CITS3002 help3002 CITS3002 schedule  

Packet lifetimes using iptables

Consider the 'lifetime' of a single packet as it enters and traverses a firewall:

  • the packet could have originated on the firewall host (from a locally running program) and be destined for another host. iptables filters these packets using its OUTPUT chain of rules before they are retransmitted via an outgoing network interface.

  • the packet could have originated from outside of the firewall host, and be destined for processes on the firewall host.

    iptables filters these packets using its INPUT chain of rules as soon as they arrive via one of the firewall's incoming network interfaces, or

  • the packet could have originated from outside of the firewall host, and be destined for another host. iptables filters these packets using its FORWARD chain of rules as soon as the packet arrives via an incoming interface, and before it is retransmitted on an outgoing interface.

Of note, this generic approach permits the iptables software to act on a single workstation with a single network interface (such as an ADSL router link) protecting itself, or as a specific firewall device with several (Ethernet) network interfaces protecting a whole internal network.

CITS3002 Computer Networks, Lecture 11, Security of TCP/IP, p21, 15th May 2024.