Technical data

3. Base conﬁguration

REDIRECT behaves like DNAT, with the exception that the target-IP-address is always set to

127.0.0.1 thus delivering the packet locally. This is needed e.g. for transparent proxies, see

OPT_TRANSPROXY (Page 191).

If you want a port forwarded to an interface with a dynamic address you do not know to

which IP the packet should be sent (at the time of conﬁguration). Thus you can use dynamic

in the PREROUTING-chain as a wildcard for the IP address assigned later on, like this:

'dynamic:80 DNAT:1.2.3.4' # forward http-packets to

# IP address 1.2.3.4

'prot:gre any dynamic DNAT:1.2.3.4' # forward gre-packets (part of the PPTP-

# protocol) to IP address 1.2.3.4

Only ACCEPT, DNAT, NETMAP and REDIRECT may be used as actions with the PREROUTING-

chain.

For further examples on port forwarding see the next paragraph.

PF_PREROUTING_N PF_PREROUTING_x PF_PREROUTING_x_COMMENT

A list of rules that describe which packets should be forwarded to another target by the

router.

3.10.5. Example

Below see some examples of the packet ﬁlter conﬁguration.

The ﬂi4l Default Conﬁguration

ﬂi4l’s default conﬁguration for the INPUT-chain looks like this:

PF_INPUT_POLICY='REJECT'

PF_INPUT_ACCEPT_DEF='yes'

PF_INPUT_LOG='no'

PF_INPUT_N='1'

PF_INPUT_1='IP_NET_1 ACCEPT'

By this we accomplish that

• computers in the local net are allowed to access the router

(PF_INPUT_1='IP_NET_1 ACCEPT'),

• local communication on the router itself is allowed (PF_INPUT_ACCEPT_DEF='yes'),

• packets belonging to connections established by the router are accepted

(PF_INPUT_ACCEPT_DEF='yes'),

• everything else is rejected (PF_INPUT_POLICY='REJECT'),

• but nothing is logged to the syslog (PF_INPUT_LOG='no').

The FORWARD-chain looks alike: Only packets of our local net and packets belonging to

connections that were established by machines in our local net should be forwarded. In addition

NetBIOS- and CIFS-packets will be dropped.