iptables and chains
 

Hi guys,
I'm trying to understand how iptables woks. Now a friend made ​​me a little "course" but in reality now i have even more doubts :o..
Given a scenario of a machine that acts as a firewall and gateway on a LAN. Eth0 will be the netcard that goes to internet and eth1 the netcard that is on the LAN (for now I give up NAT).

First, is correct what i write below realted to the three chains??

The FORWARD chain concerns packets traversing the firewall but that are directed to other hosts (for example, from the Internet to the clients on the LAN and vice versa)
THE INPUT chain concers packets that are directed to the firewall and can come from both the LAN and the Internet
THE OUTPUT chain concerns the packets generated by the firewall and that are sent out to the LAN or to Internet ...

between the commands that my friend wrote in the firewall there is the following


iptables-A INPUT-i eth1-s 0/0-d 0/0 ACCEPT



Now for what I had understood the INPUT chain refers to packets going to the firewall, and if I understand the rule is written it says "do pass all incoming packets from the LAN with any source address (0/0) and for any destination (-d 0/0.) But if theINPUT chain is related to the packet with destination the Firewall machine what sense have put any destination in this rule?
I could understand this rule in the FORWARD CHAIN ........ but in the INPUT..... : :o

other:
with this line

echo 1> / proc/sys/net/ipv4/ip_forward

I enable forwarding between the two netcards, then it makes sense to add these two rules below:


iptables-A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables-A FORWARD -i eth0 -o eth1 -j ACCEPT

Evidently there is something obuscured for me .... Can you help me to figure out where I'm wrong?

It should beAnyway if you want to match any address you don't need to specify it, just omit -d or -s options.

IP packets always have inside source IP and destination IP so you can match on these. In practice in INPUT chain you can match to 127.0.0.0/8 or 192.168.0.255 or 255.255.255.255, for example: you can disallow packets with destination address from your local net (or allow only that depending on interface) or not matching your eth0 interface IPs or broadcast IP, etc.

Yes. You enabled forwarding, but for example default FORWARD policy can be set to DROP packets, then you can individually set FORWARD chain rules. You can have more than two interfaces and want only specified to forward packets between them. If you have ACCEPT policy and no other rules in this chain, then these two rules are not needed.

ok
related to the rule

i know a packet has always source and destination IP address, what that maybe i assumed was that:

a packet frome the LAN go into the INPUT CHAIN only if the Destination Address is the Address of the eth1 netcard??? is wrong that?

so for what i thought the packed with destination address 127.0.0.0/8 or 192.168.0.255 or 255.255.255.255 didn't belong to the INPUT CHAIN.....

What are the packet the really can belong to the input chain??

a packet to have access from the internet to the LAN needs to match one singles rule.....or more?

Generally it is wrong. Interface has no meaning. Packets on "eth0" or "lo" also can go to INPUT chain. Kernel decide where to put each packet and to INPUT chain are directed also global broadcast packets with IP 255.255.255.255, net broadcast 192.168.0.255 (for example on net 192.168.0.0/24), net address 192.168.0.0 and with localhost destination like all from 127.0.0.0/8 should go there. Also if you interfere with routing (for example by DNAT) packets may go to INPUT chain (depends on new IP).

One ACCEPT rule in each table. Mainly "filter" table is used for filtering and other have default policy set to ACCEPT. In that case, after first matching rule final decision is taken: DROP or ACCEPT (if not passed to another chain for additional testing).