flaw with forwarding

Jeff Miller jeffm@dynamite.com.au
Thu, 25 Nov 1999 14:22:49 +1100


I think I may have found a flaw in netfilter with regard to forwarding. 
The system I'm using is a fresh installation of redhat 6.1 with the kernel
upgraded to 2.3.25 and netfilter 0.1.12

the test setup is...


     pc1 ---------- netfilter ------- the world

 203.55.121.131         203.17.154.3
          203.55.121.129

after booting and insmod-ing iptables. I change the policies as follows

input: drop
forward: accept
output: drop

and no nat.

With this setup, however, packets are still being forwarded. Is this a
flaw in my logic or netfilter as I would have thought that the packet
wouldn't have been let in the ethernet interfaces to be forwarded. I refer
you to the diagram from netfilter-hacking-HOWTO.txt

A Packet Traversing the Netfilter System:

          --->[1]--->[ROUTE]--->[3]--->[4]--->
                        |            ^
                        |            |
                        |         [ROUTE]
                        v            |
                       [2]          [5]
                        |            ^
                        |            |
                        v            |


comment welcomed,
Jeff.