[CentOS] IPTables help

Sat May 24 13:51:37 UTC 2008
Filipe Brandenburger <filbranden at gmail.com>

On Sat, May 24, 2008 at 2:49 AM, Joseph L. Casale
<JCasale at activenetwerx.com> wrote:
> Appreciate the help, but I think I am still unsure of that last point.
> If the default policy for INPUT is DROP, and a rule "allowing" traffic
> is not matched, once it gets to the end it performs the default policy
> action from what I have gathered now.

What I meant was, if you create an user defined chain, when you get to
the end of the chain without matching anything, you will get back to
the original chain and resume processing there. If you get to the end
of an internal chain (which are INPUT, OUTPUT and FORWARD), then the
default policy will apply.

Consider this example (just for illustrating the issue)

# iptables -N testing
# iptables -A FORWARD -d 192.168.5.88 -p tcp --dport 80 -j ACCEPT
# iptables -A FORWARD -i eth0 -j testing
# iptables -A testing -d 192.168.5.99 -p tcp --dport 22 -j ACCEPT
# iptables -A FORWARD -d 192.168.5.77 -p tcp --dport 443 -j ACCEPT
# iptables -P FORWARD DROP

# iptables -nvL
...
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
192.168.5.88        tcp dpt:80
    0     0 testing    all  --  eth0   *       0.0.0.0/0
0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
192.168.5.77        tcp dpt:443
...
Chain testing (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
192.168.5.99        tcp dpt:22

If the packet is to HTTP in host 192.168.5.88, it will match the first
rule of FORWARD and will end processing there. Otherwise, but if the
packet is from eth0, it will enter the "testing" chain. If it is SSH
to 192.168.5.99, then it will match the (only) rule in "testing" and
will end processing there. Otherwise, it will resume processing on the
third rule of FORWARD. If the packet is HTTPS to 192.168.5.77, it will
match that rule, accept the packet, and end processing there.
Otherwise, as it's the end of the FORWARD chain, it will use the
default policy, which in this case was set to DROP (the default is
ACCEPT).

Is it clear now?

HTH,
Filipe