[CentOS] iptables question

Fri Jun 20 20:59:27 UTC 2014
Rob Townley <rob.townley at gmail.com>


On Tue, Jun 17, 2014 at 9:41 AM, James B. Byrne <byrnejb at harte-lyne.ca>

> On Mon, June 16, 2014 23:34, Chuck Campbell wrote:
> > I appreciate you restating this. I'll try to go make sense of iptables,
> given
> > the insight,
> >
> Keep in mind that there are three default chains, INPUT, OUTPUT and FORWARD
> that are used to initiate the packet path through IPTABLES and that they
> are
> mutually exclusive.  INPUT deals ONLY with packets that arrive from off of
> are destined for the host running IPTABLES.  OUTPUT deals only with packets
> that originate from the host running IPTABLES regardless of where they are
> destined.  And FORWARD deals only with packets that arrive from and are
> destined off of the host running IPTABLES.  A packet starts in only one of
> these based solely on its origin/destination pairing and it does not cross
> over automatically into either of the others.  For example, if a forwarded
> packet is detected then the INPUT and OUTPUT chains are not used at all.
> I have seen chain misconfiguration where IPTABLES rules evidently assume
> that
> a packet is to pass from the INPUT chain or the OUTPUT chain to the FORWARD
> chain automatically. In some cases it seems that the rules writer has
> implicitly assumed that INPUT -> FORWARD -> OUTPUT is the default routing
> of
> all packet paths.  This is not the case and it does not happen unless the
> other chain is specifically called from within the originating chain.
> My practice is to place general rules that I wish to apply to all packets,
> regardless of source or destination, into a chain called GENERAL and simply
> call that chain as the last instruction in each of the default chains.
> Actually I put very little else in the default chains and route from the
> GENERAL chain to other chains dedicated to specific rule sets, like for
> port
> knocking (FWKNOP_ALLOW); or for assured access (ALWAYS_ALLOW); or for
> blacklists: ALWAYS_DENY and FAIL2BAN_DENY for example.
> --
> ***          E-Mail is NOT a SECURE channel          ***
> James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
> Harte & Lyne Limited          http://www.harte-lyne.ca
> 9 Brockley Drive              vox: +1 905 561 1241
> Hamilton, Ontario             fax: +1 905 561 0757
> Canada  L8E 3C3
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos