flaw with forwarding
Jeff Miller
jeffm@dynamite.com.au
Thu, 25 Nov 1999 14:22:49 +1100
I think I may have found a flaw in netfilter with regard to forwarding.
The system I'm using is a fresh installation of redhat 6.1 with the kernel
upgraded to 2.3.25 and netfilter 0.1.12
the test setup is...
pc1 ---------- netfilter ------- the world
203.55.121.131 203.17.154.3
203.55.121.129
after booting and insmod-ing iptables. I change the policies as follows
input: drop
forward: accept
output: drop
and no nat.
With this setup, however, packets are still being forwarded. Is this a
flaw in my logic or netfilter as I would have thought that the packet
wouldn't have been let in the ethernet interfaces to be forwarded. I refer
you to the diagram from netfilter-hacking-HOWTO.txt
A Packet Traversing the Netfilter System:
--->[1]--->[ROUTE]--->[3]--->[4]--->
| ^
| |
| [ROUTE]
v |
[2] [5]
| ^
| |
v |
comment welcomed,
Jeff.