How does a firewall determine what is incoming and what is outgoing for iptables?

Question:

2013-03-23 01:39:03 UTC

I am learning about IPtables and one thing that is puzzling me is how the firewall determines whether traffic is incoming or outgoing if you are using one network card in the system.
For example
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

the above rules accept incoming SSL from the Internet and the return response from your network.

That part I understand, but using the example I cannot see how the firewall knows that the Internet is incoming and the LAN is outgoing. I have seen a lot of IPtables examples and I don't recall see anything that explains how the a system with one network card knows what is incoming and what is outgoing.
Hope that somebody knows.
Thanks

Four answers:

Robert J

2013-03-23 03:25:34 UTC

The example you give is for data on the machine running iptables - nothing to do with other machines.

Data being passed through for other machines is covered by FORWARD, not INPUT or OUTPUT.

A Firewall machine acting as a firewall between a WAN and LAN must have two interfaces to function, (With a single interface machine, all the others must also be connected to the same gateway already - there is nothing to 'force' traffic through the firewall).

So; for a machine having it's own firewall to protect itself, INPUT and OUTPUT are obvious.

For a firewall system, it will have two or more interfaces and incoming/outgoing is a combination of which interface - eg. eth0 / eth1 / eth2 etc. - and which direction.

Note that you also need rules to cover interface 'lo' (local) in a full system.

And note that a single firewall rule _can_ apply to multiple interfaces if it does not have a '-i' interface definition.

(ps - the second line in your example would still be -i eth0).

[Electronics designer & programmer for 30+ years, also commercial system builder].

2013-03-23 01:58:27 UTC

From my knowladge, I can describe one thing.

When you request a webpage, your computer send out a 'packet data' it contains your pc IP Address, Website's IP Address, Time it send, etc. When this packet data goes through the firewall, it keep all details about the packet data it it's memory. So when the response from the website comes back, firewall start matching the outgoing packet data with incoming packet data(it also knows how much it takes to deliver the packet data, usually in milliseconds), if it matched then firewall look for the pc IP Address to return the respond to the computer. That's why you won't get websites which your sister request.

2013-03-23 01:54:01 UTC

Maybe the words INPUT and OUTPUT in the lines might give it a clue. ALL firewall rules only appply to ONE network card. You can not write one rule that covers more than one card. WHERE is your brain? Maybe you are in the wrong business. To work with computers you need to think for yourself.

2017-01-03 14:49:01 UTC

Out - scream if u wanna bypass swimin, if u wanna bypass abode plz take ur magnafieing cup out of ur pasafier and placed ur coconut on ur head nd shout crimson shwop a doop crof a bood a bag ov bounce in at marz. salute 2 ur captin! 1st baron beaverbrook. yeahy! omg spooky carot! In - Omg I certainly have crimson crowned pancakes with around sauce shall we start up up repopulating the international with bats. now vote for the crimson carrots to b presedent of the silver moon of pinkness. Yea me and my freind have been being very random! wish I helped. upload me and that i visit characteristic you. Bye. XD

ⓘ

This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.

about - legalese