> <trimmed> > ... > <trimmed> > Here's what I don't understand: From what I read, terminating targets > like ACCEPT and DROP stop consideration of any further rules in any > tables and chains. It also seems like all the built-in chains have a > policy of ACCEPT by default, and the policy target is effective if no > rules match in the chain. I have seen no way to _remove_ a policy > from a chain - only _change_ the policy target. This seems to lead to > the (obviously false) conclusion that only one built-in chain will > ever be considered - the first one. If a rule doesn't terminate, the > policy will! Up to the (false) conclusion, all your assumptions are true. I believe I see the source of your confusion, which was also mine when I started with iptables. Each built-in chain is traversed at a different location (a.k.a. hook) in the packet path. See two graphic variations of this below. A terminating target means that the packet has completed traversing the current built-in chain, but might be further processed by other chains, by means of a different hook. Specifically for the FILTER table, which is your main concern for a firewall, its hooks are located such that each packet goes through exactly one built-in chain of the table. - http://jengelh.medozas.de/images/nf-packet-flow.png - http://linux-ip.net/nf/nfk-traversal.png HTH, Gilad -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
