Confused as Chris Griffin

[Keith Mastin]

Hi Teddy,

Good questions. :)

> Q1
> FORWARD chain "are for packets destined for other hosts"
> Well, why am I recieving packets that arent meant for me?

The firewall will accept anything first ACCEPT'ed, then not DROP'ed (I am
assuming iptables here since you didn't specify). Only accept from the
Internet for your external IP or anything that results from a valid
request coming from your LAN. Use the Ack and Syn flags (ESTABLISHED) for
that.

> Why can I just DROP all packets recieved on the FORWARD chain?

You can. For ex., you generally don't need any forward chains on most
clients. Only the firewall and routing machines really should be
forwarding.

> What exactly is the FORWARD chains function ?

To accept on one interface and pass it through another interface to the
destination host.

> Q2
> INPUT chain is for packets destined for our local machine.
> Do these packets originate from Internet and all my LAN hosts?

They can originate anywhere.

> Q3
> OUTPUT chain is for packets generated locally, now leaving.
> Is this just for the Linux "lo" interface?

No. If you want to browse a web page from a client, For ex., you send
request packets out through the interface to the firewall, where it NATs
the packets, etc. etc. These are sent on the OUTPUT chain.

> What about the local LAN interface and all my LAN hosts?

Set up the LAN hosts so their default gateway is the internal (LAN)
interface on the firewall. the firewall should then NAT them and send them
on.

Read the neworking3 and the iptables howtos. They give a good 10,000 foot
overview of how it all works so you can have an overall perspective of
your network as an entity and as a part of the Internet.

HTH

-- 
Keith Mastin
BeechTree Information Technology Services Inc.
Toronto, Canada
(416)429 9304
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml