Consider how a Unix machine, or in fact any machine capable of IP routing,
processes IP datagrams. The basic steps, shown in Figure 9-2 are:
Figure 9-2. The stages of IP datagram processing
The IP datagram is received. (1)
The incoming IP datagram is examined to determine if it is destined for a
process on this machine.
If the datagram is for this machine, it is processed locally. (2)
If it is not destined for this machine, a search is made of the routing table
for an appropriate route and the datagram is forwarded to the appropriate
interface or dropped if no route can be found. (3)
Datagrams from local processes are sent to the routing software for forwarding
to the appropriate interface. (4)
The outgoing IP datagram is examined to determine if there is a valid route
for it to take, if not, it is dropped.
The IP datagram is transmitted. (5)
In our diagram, the flow 1→3→5 represents our machine
routing data between a host on our Ethernet network to a host
reachable via our PPP link. The flows 1→2 and 4→5 represent
the data input and output flows of a network program running on our
local host. The flow 4→3→2 would represent data flow via a
loopback connection. Naturally data flows both into and out of network
devices. The question marks on the diagram represent the points where
the IP layer makes routing decisions.
The Linux kernel IP firewall is capable of applying filtering at various
stages in this process. That is, you can filter the IP datagrams that come in
to your machine, filter those datagrams being forwarded across your
machine, and filter those datagrams that are ready to be transmitted.
In ipfwadm and ipchains, an
Input rule applies to flow 1 on the diagram, a Forwarding rule to flow
3, and an Output rule to flow 5. We'll see when we discuss
netfilter later that the points of interception
have changed so that an Input rule is applied at flow 2, and an
Output rule is applied at flow 4. This has important implications for
how you structure your rulesets, but the general principle holds true
for all versions of Linux firewalling.
This may seem unnecessarily complicated at first, but it provides flexibility
that allows some very sophisticated and powerful configurations to be built.