On 06/17/2014 10:41 AM, James B. Byrne wrote: > On Mon, June 16, 2014 23:34, Chuck Campbell wrote: > >> I appreciate you restating this. I'll try to go make sense of iptables, given >> the insight, >> > Keep in mind that there are three default chains, INPUT, OUTPUT and FORWARD > that are used to initiate the packet path through IPTABLES and that they are > mutually exclusive. INPUT deals ONLY with packets that arrive from off of AND > are destined for the host running IPTABLES. OUTPUT deals only with packets > that originate from the host running IPTABLES regardless of where they are > destined. And FORWARD deals only with packets that arrive from and are > destined off of the host running IPTABLES. A packet starts in only one of > these based solely on its origin/destination pairing and it does not cross > over automatically into either of the others. For example, if a forwarded > packet is detected then the INPUT and OUTPUT chains are not used at all. > > I have seen chain misconfiguration where IPTABLES rules evidently assume that > a packet is to pass from the INPUT chain or the OUTPUT chain to the FORWARD > chain automatically. In some cases it seems that the rules writer has > implicitly assumed that INPUT -> FORWARD -> OUTPUT is the default routing of > all packet paths. This is not the case and it does not happen unless the > other chain is specifically called from within the originating chain. > > My practice is to place general rules that I wish to apply to all packets, > regardless of source or destination, into a chain called GENERAL and simply > call that chain as the last instruction in each of the default chains. > Actually I put very little else in the default chains and route from the > GENERAL chain to other chains dedicated to specific rule sets, like for port > knocking (FWKNOP_ALLOW); or for assured access (ALWAYS_ALLOW); or for > blacklists: ALWAYS_DENY and FAIL2BAN_DENY for example. > > Hi, Here is a reasonable diagram that show the packet flow. http://xkr47.outerspace.dyndns.org/netfilter/packet_flow/packet_flow10.png -- Stephen Clark *NetWolves Managed Services, LLC.* Director of Technology Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.clark at netwolves.com http://www.netwolves.com