[CentOS] IPTables help

Sat May 24 01:04:25 UTC 2008
Filipe Brandenburger <filbranden at gmail.com>

On Fri, May 23, 2008 at 12:25 PM, Joseph L. Casale
<JCasale at activenetwerx.com> wrote:
> In terms of Cisco ACL's, how does
> iptables work, does it simply continue processing until it sees something explicitly
> denying if the default policy is ACCEPT, versus DROP, will it continue processing until
> it sees something explicitly allowing?

iptables will process rules until a match. If the match is -j
ACCEPT/REJECT/DROP, it will end processing there. If it's -j
another_chain, it will jump to the other chain. If it matches a rule
in the other chain with -j ACCEPT/REJECT/DROP, it will stop processing
there. Otherwise, if no rules in this inner chain matches, it will
resume processing in the outer chain just after the rule which jumped
to the inner chain.

>>#Finally dropping all other traffic (positive list firewall):
>>iptables -P INPUT DROP
>>iptables -P OUTPUT DROP
>>iptables -P FORWARD DROP
> So here you know restate the default policy? I thought you could only define this once?

You define the default policy for every built-in chain: INPUT, OUTPUT

> Does this -F not reset the above stated policy?

No, it doesn't.