Re: iptables question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Mon, June 16, 2014 23:34, Chuck Campbell wrote:

> I appreciate you restating this. I'll try to go make sense of iptables, given
> the insight,
>

Keep in mind that there are three default chains, INPUT, OUTPUT and FORWARD
that are used to initiate the packet path through IPTABLES and that they are
mutually exclusive.  INPUT deals ONLY with packets that arrive from off of AND
are destined for the host running IPTABLES.  OUTPUT deals only with packets
that originate from the host running IPTABLES regardless of where they are
destined.  And FORWARD deals only with packets that arrive from and are
destined off of the host running IPTABLES.  A packet starts in only one of
these based solely on its origin/destination pairing and it does not cross
over automatically into either of the others.  For example, if a forwarded
packet is detected then the INPUT and OUTPUT chains are not used at all.

I have seen chain misconfiguration where IPTABLES rules evidently assume that
a packet is to pass from the INPUT chain or the OUTPUT chain to the FORWARD
chain automatically. In some cases it seems that the rules writer has
implicitly assumed that INPUT -> FORWARD -> OUTPUT is the default routing of
all packet paths.  This is not the case and it does not happen unless the
other chain is specifically called from within the originating chain.

My practice is to place general rules that I wish to apply to all packets,
regardless of source or destination, into a chain called GENERAL and simply
call that chain as the last instruction in each of the default chains. 
Actually I put very little else in the default chains and route from the
GENERAL chain to other chains dedicated to specific rule sets, like for port
knocking (FWKNOP_ALLOW); or for assured access (ALWAYS_ALLOW); or for
blacklists: ALWAYS_DENY and FAIL2BAN_DENY for example.


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux