Iptables is used to set up, maintain, and inspect the tables of IPv4
packet filter rules in the Linux kernel. Several different tables may
be defined. Each table contains a number of built-in chains and may
also contain user-defined chains.Each chain is a list of rules which can match a set of packets. Each
rule specifies what to do with a packet that matches. This is called a
`target', which may be a jump to a user-defined chain in the same
table.
How shall I understand the concept of a chain?
Is a chain a fixed list of rules?
How shall I define/specify and use a chain? For example,
-A, --append chain rule-specification
Append one or more rules to the end of the selected chain. When the
source and/or destination names resolve to more than one address, a
rule will be added for each possible address combination.
In the following command is INPUT
the name of a chain? Is it a name that I can give arbitrarily? Does this chain have exactly two rules? Thanks.
iptables -A INPUT -p tcp -s localhost --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j DROP
Best Answer
Iptables chains are just lists of rules, processed in order. They can be one of the fixed built-in ones (
INPUT
,OUTPUT
,FORWARD
in the defaultfilter
table, some others in e.g. thenat
table), or user-defined ones, which can then be called from others.As the
-A
(append),-I
(insert) and-D
(delete) commands imply, the rules in the chains are freely editable, they're not fixed.Yes.
That one isn't, it's the built-in chain that contains rules for packets entering the system (destined for processes running on the host). The other two in the default
filter
table areOUTPUT
(packets coming from the system, obviously), andFORWARD
(routed packets).The man page
iptables(8)
has the descriptions of the tables and their built-in chains (underTABLES
).Of course you could place any rules for input packets in an arbitrary user-defined chain, then you'd just need to add a rule to
INPUT
referring to that chain. (e.g.iptables -A INPUT -j mychain
would jump tomychain
and process any rules there.)We don't know that. Those two commands append two rules to the chain. But there might be others that were already there before those commands were run.
If you had
iptables -F INPUT
as the first command before those two, then the result would be that only those two rules remained.See also: How iptables tables and chains are traversed which contain links to all you never needed to know about this, e.g. https://stuffphilwrites.com/2014/09/iptables-processing-flowchart/. (You may want to ignore the
raw
andmangle
tables to start with, they're that often needed.)