iptables – Default Action at the End of User-Defined Chain

firewalliptablesnetworking

I'm reading iptables' man page at https://linux.die.net/man/8/iptables, and I've got a question regarding the use of user-defined chains:

In the Targets section, it says

If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.

And underneath in the Options section, it also says

Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets.

So my question is, what happens when a packet goes into a user-defined chain, and reaches the end without matching any of the rules? In other words, what is the default action of a user-defined chain?

The reason I'm asking is I'm wondering if it's necessary to add a catch-all rule to the end of every user-defined chain. Something like

iptables -A MY-CHAIN -j RETURN

Or is this the default behavior? Or something else?

Best Answer

If none of the rules in a user-defined chain match, the default behavior is effectively RETURN: processing will continue at the next rule in the parent chain.

When a packet matches a rule whose target is a user-defined chain, the packet begins traversing the rules in that user-defined chain. If that chain doesn't decide the fate of the packet, then once traversal on that chain has finished, traversal resumes on the next rule in the current chain.

(from the Linux 2.4 Packet Filtering HOWTO)

Related Solutions

Why can’t I use the REJECT policy on the iptables OUTPUT chain

REJECT is a target extension, while a chain policy must be a target. The man page says that (although it's not really clear), but some of what it says is flat wrong.

The policy can only be ACCEPT or DROP on built-in chains. If you want the effect of rejecting all the packets that don't match the previous rules, just make sure the last rule matches everything and adds a rule with a REJECT target extension. In other words, after adding all relevant rules, do iptables -t filter -A OUTPUT -j REJECT.

See the "what are the possible chain policies" thread on the netfilter list for more details.

Why are packages being rejected even through there’s a rule that accepts them all before hand

The ACCEPT target is a terminating target that allows packet to get through NetFilter. The REJECT is a terminating targetd that effectively disallows packet to get through and causes the ICMP response to be sent to the packet originator. The third rule in your sample most likely looks like this if you list the tables with 'iptables -v -L' command:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  639  304K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            
  101  7798 ACCEPT     all  --  lo     any     anywhere             anywhere

In the column in there is an interface the rule is matching on. For the third rule it is the lo interface, so this rule allows any traffic on loopback interface and this is correct, as otherwise you will not be able to access any local to the host services over TCP or UDP at localhost address.

Best Answer

Related Solutions

Why can’t I use the REJECT policy on the iptables OUTPUT chain

Why are packages being rejected even through there’s a rule that accepts them all before hand

Related Question