A chain in iptables

iptables

Iptables is used to set up, maintain, and inspect the tables of IPv4
packet filter rules in the Linux kernel. Several different tables may
be defined. Each table contains a number of built-in chains and may
also contain user-defined chains.

Each chain is a list of rules which can match a set of packets. Each
rule specifies what to do with a packet that matches. This is called a
`target', which may be a jump to a user-defined chain in the same
table.

How shall I understand the concept of a chain?

Is a chain a fixed list of rules?

How shall I define/specify and use a chain? For example,

-A, --append chain rule-specification
Append one or more rules to the end of the selected chain. When the
source and/or destination names resolve to more than one address, a
rule will be added for each possible address combination.

In the following command is INPUT the name of a chain? Is it a name that I can give arbitrarily? Does this chain have exactly two rules? Thanks.

iptables -A INPUT -p tcp -s localhost --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j DROP

Best Answer

Iptables chains are just lists of rules, processed in order. They can be one of the fixed built-in ones (INPUT, OUTPUT, FORWARD in the default filter table, some others in e.g. the nat table), or user-defined ones, which can then be called from others.

As the -A (append), -I (insert) and -D (delete) commands imply, the rules in the chains are freely editable, they're not fixed.

In the following command is INPUT the name of a chain?

Yes.

Is it a name that I can give arbitrarily?

That one isn't, it's the built-in chain that contains rules for packets entering the system (destined for processes running on the host). The other two in the default filter table are OUTPUT (packets coming from the system, obviously), and FORWARD (routed packets).

The man page iptables(8) has the descriptions of the tables and their built-in chains (under TABLES).

Of course you could place any rules for input packets in an arbitrary user-defined chain, then you'd just need to add a rule to INPUT referring to that chain. (e.g. iptables -A INPUT -j mychain would jump to mychain and process any rules there.)

Does this chain have exactly two rules?

We don't know that. Those two commands append two rules to the chain. But there might be others that were already there before those commands were run.

If you had iptables -F INPUT as the first command before those two, then the result would be that only those two rules remained.

See also: How iptables tables and chains are traversed which contain links to all you never needed to know about this, e.g. https://stuffphilwrites.com/2014/09/iptables-processing-flowchart/. (You may want to ignore the raw and mangle tables to start with, they're that often needed.)

Related Solutions

Why are packages being rejected even through there’s a rule that accepts them all before hand

The ACCEPT target is a terminating target that allows packet to get through NetFilter. The REJECT is a terminating targetd that effectively disallows packet to get through and causes the ICMP response to be sent to the packet originator. The third rule in your sample most likely looks like this if you list the tables with 'iptables -v -L' command:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  639  304K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            
  101  7798 ACCEPT     all  --  lo     any     anywhere             anywhere

In the column in there is an interface the rule is matching on. For the third rule it is the lo interface, so this rule allows any traffic on loopback interface and this is correct, as otherwise you will not be able to access any local to the host services over TCP or UDP at localhost address.

Implicit Inverses for iptables NAT Rules

Does iptables implicitly and automatically add the reverse/inverse rules for every NAT rule that is added explicitly?

Not exactly

Your first two quotes are correct, the third is confused ramblings of someone who doesn't understand how the system works.

iptables nat (unlike iptables filtering) works on connections. The first packet of the connection passes through the nat tables and is translated according to it. Later packets belonging to the same connection do not pass through the nat tables they are simply translated accoridng to the rules established when the first packet was translated.

The iptables man page https://linux.die.net/man/8/iptables documents that the nat table is consulted for "the first packet of a connection" and the man page section for the DNAT and SNAT target say "(and all future packets in this connection will also be mangled)".

Unfortunately I haven't seen any official documentation which goes into more depth than that. My go-to reference for iptables is the frozentux iptables tutorial but I don't think it's official.

Best Answer

Related Solutions

Why are packages being rejected even through there’s a rule that accepts them all before hand

Implicit Inverses for iptables NAT Rules

Related Question