Groups | Search | Server Info | Login | Register

Groups > comp.os.linux.networking > #8568

Re: Need advice solving problems with testing netfilter and ipsets

From David Brown <david.brown@hesbynett.no>
Newsgroups comp.os.linux.networking
Subject Re: Need advice solving problems with testing netfilter and ipsets
Date 2026-02-18 21:12 +0100
Organization A noiseless patient Spider
Message-ID <10n56fq$2uej6$1@dont-email.me> (permalink)
References <10md6rs$2ucqu$1@dont-email.me> <10mesld$3g28q$1@dont-email.me> <10n55ab$2p9q6$1@dont-email.me>

Show all headers | View raw

On 18/02/2026 20:52, Lew Pitcher wrote:
> On Tue, 10 Feb 2026 10:10:05 +0100, David Brown wrote:
> 
>> On 09/02/2026 18:51, Lew Pitcher wrote:
>>> Question: Does anyone see a problem with the ipsets/iptables rules
>>> that I've built, below?
> [snip
>>> and the model iptables rule is
>>>     iptables -t filter -P FORWARD DROP
>>>     iptables -t filter -A FORWARD -i lo	-j ACCEPT
>>>     iptables -t filter -i eth1				\
>>> 	   -m set --match-set IMMURED src 		\
>>> 	   -m set ! --match-setset LOCALNETS dst	\
>>> 	   -j LOG --log-level notice --log-prefix 'netfilter (immured debug)'
>>>     iptables -t filter -A FORWARD -i eth1	-j ACCEPT
>>>     iptables -t filter -A FORWARD -i eth0	-j ACCEPT
>>>
> [snip]
>> I don't see anything immediately wrong with your rules here (other than
>> the typo you found yourself).  I think the rule forwarding packets from
>> "lo" is redundant (local packets go out on OUTPUT, not FORWARD), but I
>> don't imagine it is doing any harm.
> 
> The key here is "local packets". I wrote these rules as bullet-proof as
> I could make them. One scenario that I considered was "process bind()s to
> localhost, sends packets to host on external network".
> 
> If I understand the sequence of events properly, in this scenario, packets
> originating from the localhost address would traverse
> - the OUTPUT chain,
> - the POSTROUTING chain,
> - the lo interface
> - the PREROUTING chain,
> - the FORWARD chain (because the packets are destined for an external address),
> - the POSTROUTING chain (again), and
> - the interface that hosts the route to the next hop.
> and, thus I wanted a rule that overrode the default "DROP" rule I had imposed
> on the FORWARD chain.
> 
> I know that "lo" and 127.0.0.1 are special cases that would preclude TCP
> (return routing wouldn't work properly), but I don't know if it also affects
> UDP or raw packets, were return routing isn't expected by the protocol.
> 
> Was I mistaken in this?
> 

I believe so, yes.  (I am confident enough for my own use, but I am 
always wary of being over-confident when giving advice to others.) 
FORWARD is for packets moving through the system, not originating on it. 
  Your packets from local services do not start at the "lo" interface - 
they are OUTPUT from your local service or program on whatever interface 
fits the target, according to routing tables.

<https://www.baeldung.com/linux/iptables-output-vs-forward-chains>
<https://www.baeldung.com/linux/iptables-chains-tables-traversal>
<https://dtsec.us/2022-03-28-iptables/>

You can also test this quite easily, as iptables rules keep counters. 
Set up your rules, send some packets back and forth, then use "iptables 
-v -n -L FORWARD" to look at the counters for the rules.  If the counter 
is 0, the rule is never being hit.

(The modern tool to use is "nftables" rather than "iptables".  I have 
not moved over as yet - I am too used to iptables.)

Back to comp.os.linux.networking | Previous | NextPrevious in thread | Find similar

Thread

Need advice solving problems with testing netfilter and ipsets Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2026-02-09 17:51 +0000
  Re: Need advice solving problems with testing netfilter and ipsets Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2026-02-09 17:54 +0000
    Re: Need advice solving problems with testing netfilter and ipsets Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2026-02-09 18:39 +0000
  Re: Need advice solving problems with testing netfilter and ipsets David Brown <david.brown@hesbynett.no> - 2026-02-10 10:10 +0100
    Re: Need advice solving problems with testing netfilter and ipsets Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2026-02-10 15:20 +0000
      Re: Need advice solving problems with testing netfilter and ipsets David Brown <david.brown@hesbynett.no> - 2026-02-10 21:13 +0100
    Re: Need advice solving problems with testing netfilter and ipsets Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2026-02-18 19:52 +0000
      Re: Need advice solving problems with testing netfilter and ipsets David Brown <david.brown@hesbynett.no> - 2026-02-18 21:12 +0100

csiph-web