INPUT vs. FORWARD for icmp

X-No-Archive: Yes

On my router/firewall, I'm using rules on the INPUT chain for eth0
(the outward-facing interface) to perform my actions - here's a small
example:

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j REJECT --reject-with icmp-host-prohibited

So far, so good - that appears to apply both to traffic destined to
the router itself, and also to machines behind the router.
Unfortunately, things seem to change with ICMP - if I do this:

-A INPUT -i eth0 -p icmp -m icmp --icmp-type echo-request -m limit
--limit 1/s -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type echo-request

Then it works for traffic destined for the router itself, but NOT for
traffic destined for machines behind the router. In order to perform
the same action for inside hosts, I (seemingly) have to perform it on
the FORWARD chain:

-A FORWARD -i eth0 -p icmp -m icmp --icmp-type echo-request -m limit
--limit 1/s -j ACCEPT
-A FORWARD -i eth0 -p icmp -m icmp --icmp-type echo-request -j DROP

This has my curiosity up: First, why aren't the ICMP packets being
hit on the INPUT chain? Second, could this apply to more than just
ICMP - do I need to perform my actions on the FORWARD chain for
everything that I want to apply to inside hosts?

NG

On 20 Jun 2005 21:32:21 -0700, "NG" <(E-Mail Removed)> wrote:


> This has my curiosity up: First, why aren't the ICMP packets being
>hit on the INPUT chain?

Because the packets are not destined for this machine.

> Second, could this apply to more than just
>ICMP - do I need to perform my actions on the FORWARD chain for
>everything that I want to apply to inside hosts?
>
>NG

Damn right it does. You probably need most of your rules in FORWARD
rather than in INPUT.
--
buck