I have been editing my iptables script today to add a third interface for a DMZ. After fidgetting with it for a while, I think I've learned something, and I want to be sure that it's accurate.

Previously, I was under the impression that a packet being received on interface A and destined for some other host on the network connected to interface B (i.o.w., the packet is routed through the firewall) would go through the chains in the following order:

1) INPUT
2) FORWARD
3) OUTPUT

Now I believe that I was wrong. I'm noticing that the rules I place in the INPUT chain seem to have no effect on the packets routing through the firewall. Therefore, I am lead to believe that traffic routed through the firewall does not go through the FORWARD chain in addition to the INPUT chain, it goes through the FORWARD chain instead of the INPUT chain. Therefore, such a packet would go through the following order of chains:

1) FORWARD
2) OUTPUT

I did not realize this when setting up my initial firewall script because I didn't really do any filtering in the INPUT chain to speak of. I think that if I'm right about this, however, my INPUT chain is going to need some alteration.

Can you guys please confirm or deny whether or not this "discovery" is accurate? Thanks in advance for any assistance!

they don't go through the OUTPUT chain either...

INPUT: packets which hit the box and are destined for the box traverse this chain...

OUTPUT: packets which are generated by the box traverse this chain...

FORWARD: packets which hit the box and are destined for another box traverse this chain...

Thanks! Apparently, I need to be changing quite a few things in my firewall script.

I didn't really put any restrictions in the INPUT or OUTPUT chains originally, and now that I'm fooling with them (as I'm a bit more security-oriented these days), I'm finding out that my original understanding of iptables is somewhat flawed.

Anyway, thanks again for the reply!