Q: iptables terminating targets

Q: iptables terminating targets

[Indiana Epilepsy and Child Neurology]

Background: My home network had a Windows 2000 machine connected to a
cable modem, sharing the internet connection with the other computers
at home.  That computer died and I decided to replace it with a Debian
box I had.  I did some searching on firewalling and nat and tried to
follow some of the iptables examples I found.  When that didn't work I
decided I needed a better understanding of iptables, and started
studying the man page and various explanations I found on the web.

Here's what I don't understand: From what I read, terminating targets
like ACCEPT and DROP stop consideration of any further rules in any
tables and chains.  It also seems like all the built-in chains have a
policy of ACCEPT by default, and the policy target is effective if no
rules match in the chain.  I have seen no way to _remove_ a policy
from a chain - only _change_ the policy target.  This seems to lead to
the (obviously false) conclusion that only one built-in chain will
ever be considered - the first one.  If a rule doesn't terminate, the
policy will!

Does an ACCEPT or DROP target as a _policy_ behave in a
non-terminating way where in a rule they are terminating?  Or maybe,
"terminating" only means no more rules in the current built-in chain
get considered, rather than no more rules in _any_ chain?  Something
else?

IMHO it would be a good idea for the man page to clarify this.  I'm
stuck.

Re: Q: iptables terminating targets

[Marek Kierdelewicz]

>Does an ACCEPT or DROP target as a _policy_ behave in a
>non-terminating way where in a rule they are terminating?  Or maybe,
>"terminating" only means no more rules in the current built-in chain
>get considered, rather than no more rules in _any_ chain?

DROP target means packet is dropped and no other chains are
traversed. ACCEPT means that no more rules in the current built-in chain
get considered but traversal of next built-in chain occurs.

regards,
Marek Kierdelewicz

RE: iptables terminating targets

[Gilad Benjamini]

> <trimmed>
> ...
> <trimmed>
 
> Here's what I don't understand: From what I read, terminating targets
> like ACCEPT and DROP stop consideration of any further rules in any
> tables and chains.  It also seems like all the built-in chains have a
> policy of ACCEPT by default, and the policy target is effective if no
> rules match in the chain.  I have seen no way to _remove_ a policy
> from a chain - only _change_ the policy target.  This seems to lead to
> the (obviously false) conclusion that only one built-in chain will
> ever be considered - the first one.  If a rule doesn't terminate, the
> policy will!

Up to the (false) conclusion, all your assumptions are true. I believe I see
the source of your confusion, which was also mine when I started with
iptables.
Each built-in chain is traversed at a different location (a.k.a. hook) in
the packet path. See two graphic variations of this below.
A terminating target means that the packet has completed traversing the
current built-in chain, but might be further processed by other chains, by
means of a different hook. 
Specifically for the FILTER table, which is your main concern for a
firewall, its hooks are located such that each packet goes through exactly
one built-in chain of the table.

- http://jengelh.medozas.de/images/nf-packet-flow.png
- http://linux-ip.net/nf/nfk-traversal.png 

HTH,
Gilad

RE: iptables terminating targets

[Gilad Benjamini]

> 
> <snip>
> 
> >Up to the (false) conclusion, all your assumptions are true. I believe
> I see
> >the source of your confusion, which was also mine when I started with
> >iptables.
> >Each built-in chain is traversed at a different location (a.k.a. hook)
> in
> >the packet path. See two graphic variations of this below.
> >A terminating target means that the packet has completed traversing
> the
> >current built-in chain, but might be further processed by other
> chains, by
> >means of a different hook.
> >Specifically for the FILTER table, which is your main concern for a
> >firewall, its hooks are located such that each packet goes through
> exactly
> >one built-in chain of the table.
> >
> >HTH,
> >Gilad
> 
> This seems at odds with another answer I got to this question:
> 
> "DROP target means packet is dropped and no other chains are
> traversed. ACCEPT means that no more rules in the current built-in
> chain get considered but traversal of next built-in chain occurs."
> 
> This answer seems to say that there are 2 different behaviors for
> "terminating" targets - that one (DROP) behaves as I interpreted the
> documentation, while the other (ACCEPT) behaves as you describe above.
> 
> I can't seem to reconcile these two answers.
> --

It's simple. The other guy phrased things better than me :-)