I have been editing my iptables script today to add a third interface for a DMZ. After fidgetting with it for a while, I think I've learned something, and I want to be sure that it's accurate.
Previously, I was under the impression that a packet being received on interface A and destined for some other host on the network connected to interface B (i.o.w., the packet is routed through the firewall) would go through the chains in the following order:
1) INPUT
2) FORWARD
3) OUTPUT
Now I believe that I was wrong. I'm noticing that the rules I place in the INPUT chain seem to have no effect on the packets routing through the firewall. Therefore, I am lead to believe that traffic routed through the firewall does not go through the FORWARD chain in
addition to the INPUT chain, it goes through the FORWARD chain
instead of the INPUT chain. Therefore, such a packet would go through the following order of chains:
1) FORWARD
2) OUTPUT
I did not realize this when setting up my initial firewall script because I didn't really do any filtering in the INPUT chain to speak of. I think that if I'm right about this, however, my INPUT chain is going to need some alteration.
Can you guys please confirm or deny whether or not this "discovery" is accurate? Thanks in advance for any assistance!