how the iptables affect?
Thomas Liske
liske at ibh.de
Wed Apr 1 15:12:23 UTC 2009
Hi,
IaMaPlAyEr schrieb:
> recently, I study the iptables, and was confused by the position of tun in
> coova-chilli.
>
> just like this big picture:
>
> http://iptables-tutorial.frozentux.net/images/tables_traverse.jpg
>
> the normal process of the route is just like this:
>
> wire --->>> eth1 --->>> mangle prerouting -->> nat prerouting --->> route
> decision --->>....------->>>nat prerouting -->>> eth0
>
> but in coova-chilli, there is a net device TUN, it connect the eth1 to eth0?
> where is it in such a normal firewall process?
chilli bypasses the kernel network stack on eth1 (where the clients
reside). It check if IP packets of the client is allowed to pass (i.e.
is it a walled garden destination or is the client authorized etc.) - if
true, it pushes the packet into the kernel via the tun interface.
The default iptables rule set loaded by chilli's up.sh drop any incoming
packets on eth1 silently (so the kernel network stack ignores them).
This has no effect on chilli which sniffs on eth1. Packets from eth0
which goes to the clients well be routed into tun0, which will processed
by chilli and put on the "eth1-wire" (bypassing the kernel network stack
again).
Regards,
Thomas L.
--
support at ibh.de Tel. +49 351 477 77 30
www.ibh.de Fax +49 351 477 77 39
-----------------------------------------------------------------------
Dipl.-Ing. Thomas Liske
Netzwerk- und System-Design
IBH IT-Service GmbH Amtsgericht Dresden
Gostritzer Str. 61-63 HRB 13626
D-01217 Dresden GF: Prof. Dr. Thomas Horn
Germany VAT DE182302907
-----------------------------------------------------------------------
Ihr Partner für: LAN, WAN IP-Quality, Security, VoIP, SAN, Backup, USV
-----------------------------------------------------------------------
professioneller IT-Service - kompetent und zuverlässig
-----------------------------------------------------------------------
More information about the Chilli
mailing list