OUTPUT is for packets that are emitted by the host. Their destination is usually another host, but can be the same host via the loopback interface, so not all packets that go through OUTPUT are in fact outgoing.
FORWARD is for packets that are neither emitted by the host nor directed to the host. They are the packets that the host is merely routing.
When you start digging into packet mangling and NAT, the full story is rather more complex.
Iptables chains are just lists of rules, processed in order. They can be one of the fixed built-in ones (INPUT
, OUTPUT
, FORWARD
in the default filter
table, some others in e.g. the nat
table), or user-defined ones, which can then be called from others.
As the -A
(append), -I
(insert) and -D
(delete) commands imply, the rules in the chains are freely editable, they're not fixed.
In the following command is INPUT
the name of a chain?
Yes.
Is it a name that I can give arbitrarily?
That one isn't, it's the built-in chain that contains rules for packets entering the system (destined for processes running on the host). The other two in the default filter
table are OUTPUT
(packets coming from the system, obviously), and FORWARD
(routed packets).
The man page iptables(8)
has the descriptions of the tables and their built-in chains (under TABLES
).
Of course you could place any rules for input packets in an arbitrary user-defined chain, then you'd just need to add a rule to INPUT
referring to that chain. (e.g. iptables -A INPUT -j mychain
would jump to mychain
and process any rules there.)
Does this chain have exactly two rules?
We don't know that. Those two commands append two rules to the chain. But there might be others that were already there before those commands were run.
If you had iptables -F INPUT
as the first command before those two, then the result would be that only those two rules remained.
See also: How iptables tables and chains are traversed which contain links to all you never needed to know about this, e.g.
https://stuffphilwrites.com/2014/09/iptables-processing-flowchart/. (You may want to ignore the raw
and mangle
tables to start with, they're that often needed.)
Best Answer
Packets traverse a chain until they hit
ACCEPT
,DROP
,REJECT
, orRETURN
. They do not stop on a match unless that match contains a terminating action. In your example, a packet matching the first rule will be marked, but will then be examined (and possibly processed) by the second rule.Purely for reference, here are the relevant sections from the man page:
A firewall rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values
ACCEPT
,DROP
[,REJECT
],QUEUE
orRETURN
.ACCEPT
means to let the packet through.DROP
means to drop the packet on the floor, i.e. to discard it and not send any responseREJECT
is used to send back an error packet in response to the matched packet: otherwise it is equivalent toDROP
so it is a terminating TARGET, ending rule traversal.]QUEUE
means to pass the packet to userspace.RETURN
means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with targetRETURN
is matched, the target specified by the chain policy determines the fate of the packet.In response to your specific concern, I would say that your guide is misleading. Unless "associated action" is one of the five terminal actions, packets will continue to flow through the chain until they reach an implicit
RETURN
at the end.