[CentOS] iptables question

Tue Jun 17 15:21:24 UTC 2014
Steve Clark <sclark at netwolves.com>

On 06/17/2014 10:41 AM, James B. Byrne wrote:
> On Mon, June 16, 2014 23:34, Chuck Campbell wrote:
>> I appreciate you restating this. I'll try to go make sense of iptables, given
>> the insight,
> Keep in mind that there are three default chains, INPUT, OUTPUT and FORWARD
> that are used to initiate the packet path through IPTABLES and that they are
> mutually exclusive.  INPUT deals ONLY with packets that arrive from off of AND
> are destined for the host running IPTABLES.  OUTPUT deals only with packets
> that originate from the host running IPTABLES regardless of where they are
> destined.  And FORWARD deals only with packets that arrive from and are
> destined off of the host running IPTABLES.  A packet starts in only one of
> these based solely on its origin/destination pairing and it does not cross
> over automatically into either of the others.  For example, if a forwarded
> packet is detected then the INPUT and OUTPUT chains are not used at all.
> I have seen chain misconfiguration where IPTABLES rules evidently assume that
> a packet is to pass from the INPUT chain or the OUTPUT chain to the FORWARD
> chain automatically. In some cases it seems that the rules writer has
> implicitly assumed that INPUT -> FORWARD -> OUTPUT is the default routing of
> all packet paths.  This is not the case and it does not happen unless the
> other chain is specifically called from within the originating chain.
> My practice is to place general rules that I wish to apply to all packets,
> regardless of source or destination, into a chain called GENERAL and simply
> call that chain as the last instruction in each of the default chains.
> Actually I put very little else in the default chains and route from the
> GENERAL chain to other chains dedicated to specific rule sets, like for port
> knocking (FWKNOP_ALLOW); or for assured access (ALWAYS_ALLOW); or for
> blacklists: ALWAYS_DENY and FAIL2BAN_DENY for example.

Here is a reasonable diagram that show the packet flow.

Stephen Clark
*NetWolves Managed Services, LLC.*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark at netwolves.com