Red Hat ENTERPRISE LINUX 3 Reference Manual

Also see for ENTERPRISE LINUX 3 - SECURITY GUIDE: Tuning guide Installation guide Installation guide Installation guide Manual

Contents

254 Chapter 17. iptables• FORWARD — Applies to network packets routed through the host.The built-in chains for the nat table are as follows:• PREROUTING — Alters network packets when they arrive.• OUTPUT — Alters locally-generated network packets before they are sent out.• POSTROUTING — Alters network packets before they are sent out.The built-in chains for the mangle table are as follows:• INPUT — Alters network packets targeted for the host.• OUTPUT — Alters locally-generated network packets before they are sent out.• FORWARD — Alters network packets routed through the host.• PREROUTING — Alters incoming network packets before they are routed.• POSTROUTING — Alters network packets before they are sent out.Every network packet received by or sent out of a Linux system is subject to at least one table.However, a packet may be subjected to multiple rules within each table before emerging at the end ofthe chain. The structure and purpose of these rules may vary, but they usually seek to identify a packetcoming from or going to a particular IP address or set of addresses when using a particular protocoland network service.Regardless of their destination, when packets match a particular rule in one of the tables, a target oraction is applied to them. If the rule specifies an ACCEPT target for a matching packet, the packet skipsthe rest of the rule checks and is allowed to continue to its destination. If a rule specifies a DROP target,that packet is refused access to the system and nothing is sent back to the host that sent the packet.If a rule specifies a QUEUE target, the packet is passed to user-space. If a rule specifies the optionalREJECT target, the packet is dropped, but an error packet is sent to the packet’s originator.Every chain has a default policy to ACCEPT, DROP, REJECT, or QUEUE. If none of the rules in the chainapply to the packet, then the packet is dealt with in accordance with the default policy.The iptables command configures these tables, as well as sets up new tables if necessary.17.2. Differences between iptables and ipchainsAt first glance, ipchains and iptables appear to be quite similar. Both methods of packet filteringuse chains of rules operating within the Linux kernel to decide what to do with packets that match thespecified rule or set of rules. However, iptables offers a more extensible way of filtering packets,giving the administrator a greater amount of control without building a great deal of complexity intothe system.Specifically, users comfortable with ipchains should be aware of the following significant differ-ences between ipchains and iptables before attempting to use iptables:• Under iptables, each filtered packet is processed using rules from only one chain rather thanmultiple chains. For instance, a FORWARD packet coming into a system using ipchains wouldhave to go through the INPUT, FORWARD, and OUTPUT chains to move along to its destination.However, iptables only sends packets to the INPUT chain if they are destined for the localsystem and only sends them to the OUTPUT chain if the local system generated the packets. Forthis reason, it is important to place the rule designed to catch a particular packet within the rule thatactually handles the packet.• The DENY target has been changed to DROP. In ipchains, packets that matched a rule in a chaincould be directed to the DENY target. This target must be changed to DROP under iptables.