hello all,
spent some time now trying to figure out iptables
reading numerous posts & yet still i am not 100% clear. below are my ideas & questions if u could have a look through on those
TXS !
iptables consists of 3 main chains
INPUT incoming packet
(source is the originators ip & destination is my nic's ip)
OUTPUT outgoing packet
(source is my nic's ip & destination some other host ip)
FORWARD routing
(source is my nic's ip & destination some other host ip)
(i don't want to think/consider mangle, conttrack & others, lets make it simple
rules are added to chains to accomodate the traffic
rules are in hierarchical order, so if i would be to do
iptables -I INPUT -p tcp ---source %ip where communication comes from% --destination %my nic's ip% --dport 1:64400 -j DROP
iptables -I INPUT -p tcp --source%ip where communication comes from% --destination %my nic's ip% --dport 80 -j ACCEPT
iptables -I OUTPUT -p tcp ---source %my nic's ip% --destination %some host% --dport 1:64400 -j DROP
iptables -I OUTPUT -p tcp --source%my nic's ip% --destination %some host% --dport 80 -j ACCEPT
now here as 1st step i block all traffic 1:64400, hence the request for incoming & outgoing packet for port 80 does not get anywhere, therefore I would need to do it in reverse, 1st rule that accepts the packet & lets it go somewhere & then block all <---- is this correct?
Also do I understand --source & --destination correctly on INPUT/OUTPUT example (--dport option in case of INPUT implies that this is my local port that will be open & in case of output it means that this will be the port open from some other remote host)?
now this is all fare & square when it comes to processs running on my own local box, hence input/output chains are used, however when say I ran some program that has some other user trying to connect to my box, I would also need FORWARD chain setup, so
IPTABLES -I FORWARD -p tcp --source anyhost ---destination %my nic's ip% --dport 80 -j ACCEPT
at this point comes the question, so the packet entered & successfully passed FORWARD chain, kewl, but where does it go after this? Is it going directly to the kernle or program that needs this connection? Or is it going to INPUT chain & then to kernel to process?
Is it possible to do routing (not to add NAT chain at all) for outgoing connection, so to use FORWARD to send the packet received on 1 box to another box, or FORWARD chain is only for directing traffic inside iptables itself?
Also not to mess around with restricting ports, I could have used IPTABLES -p DENY INCOMING, to set the policy to deny all untill condition of one of the filters was met?
hope this is not too boring questions here, any help would be appreciated