+1 On Tue, Jun 17, 2014 at 9:41 AM, James B. Byrne <byrnejb at harte-lyne.ca> wrote: > > On Mon, June 16, 2014 23:34, Chuck Campbell wrote: > > > I appreciate you restating this. I'll try to go make sense of iptables, > given > > the insight, > > > > Keep in mind that there are three default chains, INPUT, OUTPUT and FORWARD > that are used to initiate the packet path through IPTABLES and that they > are > mutually exclusive. INPUT deals ONLY with packets that arrive from off of > AND > are destined for the host running IPTABLES. OUTPUT deals only with packets > that originate from the host running IPTABLES regardless of where they are > destined. And FORWARD deals only with packets that arrive from and are > destined off of the host running IPTABLES. A packet starts in only one of > these based solely on its origin/destination pairing and it does not cross > over automatically into either of the others. For example, if a forwarded > packet is detected then the INPUT and OUTPUT chains are not used at all. > > I have seen chain misconfiguration where IPTABLES rules evidently assume > that > a packet is to pass from the INPUT chain or the OUTPUT chain to the FORWARD > chain automatically. In some cases it seems that the rules writer has > implicitly assumed that INPUT -> FORWARD -> OUTPUT is the default routing > of > all packet paths. This is not the case and it does not happen unless the > other chain is specifically called from within the originating chain. > > My practice is to place general rules that I wish to apply to all packets, > regardless of source or destination, into a chain called GENERAL and simply > call that chain as the last instruction in each of the default chains. > Actually I put very little else in the default chains and route from the > GENERAL chain to other chains dedicated to specific rule sets, like for > port > knocking (FWKNOP_ALLOW); or for assured access (ALWAYS_ALLOW); or for > blacklists: ALWAYS_DENY and FAIL2BAN_DENY for example. > > > -- > *** E-Mail is NOT a SECURE channel *** > James B. Byrne mailto:ByrneJB at Harte-Lyne.ca > Harte & Lyne Limited http://www.harte-lyne.ca > 9 Brockley Drive vox: +1 905 561 1241 > Hamilton, Ontario fax: +1 905 561 0757 > Canada L8E 3C3 > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >