> On Sat, Mar 02, 2002 at 04:21:24PM -0800, erich@uruk.org wrote:
> > The fact that the routing layer and application layers of Linux's
> > TCP/IP stack are one and the same is a difficulty here which the
> > IP firewalling code in Linux does not fix. I.e. if I wanted to
> > have routing as well, but not accept any packets internally *not*
> > destined for my interface, I'm not sure how to specify it without
> > something like TCP wrappers, as sleazy as they can be, and they
> > don't offer this kind of capability in general as is.
>
> Linux 2.4 netfilter:
>
> Incoming Outgoing
> interface interface
> ----+------------------- FORWARD -----------------+------->
> | ^
> v |
> INPUT -------------> Application -----------> OUTPUT
>
> The names in capitals are the names of the tables. You can control
> packets that the local machine sees completely independently of what
> gets routed through the machine with a kernel supporting iptables
> by adding the appropriate rules to the input and forward tables.
Hmm. This would seem to be false in the RH 7.2 kernel 2.4.9-21
kernel I'm working with.
My IP masquerading rule (which claims to be in the "forward"
chain, with target "MASQ"), was blocked when I did input address
masking.
I.e. Yes, I actually tested this before posting.
If you're calling it a bug, then so be it. But the result would be
a bit better than how my Linux system works now.
--
Erich Stefan Boleyn <erich@uruk.org> http://www.uruk.org/
"Reality is truly stranger than fiction; Probably why fiction is so popular"
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/