input tables only :)
Soeren Eyhusen
seyhuse@gwdg.de
Sun, 30 Apr 2000 12:10:56 +0200
On Sun, 30 Apr 2000 you wrote:
>
> hello all,
> I am thinking if I set FORWARD and OUTPUT to ACCEPT then I can
> control all my packet flow by the INPUT table and nat table on my
> nics. So far on simple configurations I can't see why this won't work
> but I have had a few beers so what do you all think?
> Can I control all flow through the Firewall (internal/external/DMZ) by
> choking each eth* device at their associated INPUT tables?
> BTW, Love the nat very intuitive...
>
No, I think you're wrong, because the netfilter-chains work different than they
do in ipchains. Packets travelling from one NIC to another don't go through
the input chain at all, they're running thru the forward chain only.
Packets are hitting the input chain only, if they are destined for the firewall
itself. So you have to control your packet flow in the forward chain.
Greetings,
Soeren.