On Fri, May 23, 2008 at 12:25 PM, Joseph L. Casale JCasale@activenetwerx.com wrote:
In terms of Cisco ACL's, how does iptables work, does it simply continue processing until it sees something explicitly denying if the default policy is ACCEPT, versus DROP, will it continue processing until it sees something explicitly allowing?
iptables will process rules until a match. If the match is -j ACCEPT/REJECT/DROP, it will end processing there. If it's -j another_chain, it will jump to the other chain. If it matches a rule in the other chain with -j ACCEPT/REJECT/DROP, it will stop processing there. Otherwise, if no rules in this inner chain matches, it will resume processing in the outer chain just after the rule which jumped to the inner chain.
#Finally dropping all other traffic (positive list firewall): iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
So here you know restate the default policy? I thought you could only define this once?
You define the default policy for every built-in chain: INPUT, OUTPUT and FORWARD.
Does this -F not reset the above stated policy?
No, it doesn't.
HTH, Filipe