Since IPTables is always used to eg. block stuff TO the machine it's being run on, what is the "destination" parameter for? When that machine is being used as a router or something?


Thanks.

Not so, iptables is used to manipulate/filter packets passing through the kernel tcp/ip stack. These packets can travel in any direction:
Packets that are destined FOR the iptables host (INPUT),
Packets generated BY the iptables host (OUTPUT)
Packets passing THROUGH the iptables host as it is being routed (FORWARD).

The --destination (-d) option allows you to match packets by the address they are destined for, rather than the address they are coming from. -d rules would appear more often in FORWARD rules (routed traffic) than they would in INPUT/OUTPUT rules.

Say you have iptables running on a router in a school, on one subnet you have a LAN with student, teacher, and admin machines, on another subnet you have a DMZ with some servers, and then you have a WAN connection to the internet.:
Assuming a default policy that will drop unmatched packets. This rule will allow packets from the administrator IP address in $admin_ip destined for the DMZ subnet on SSH port 22.

Iptables is designed to be able to match packets by pretty much any conceivable pattern, so it is completely valid to include -d options in any appropriate rule, whether its necessary or not. In my example above, the -i, and -o options could be omitted. Or alternatively, the -d and -i could be omitted (of course that's unverified since this a hypothetical example).

Thanks so much for your reply. So I was right, this would be used in a router situation....?

I'm still trying to get clear exactly what a "subnet" is - is it 2 networks separated by a router? (before the mods jump on me for not Googling.. )

It COULD be, it is a another way for iptables to match packets against rules, the matches can be attributed to any rule (with maybe a few exceptions). As I look through my rules, the only -d matches are for rules related to routed packets.
Another example may be a single host (VPS maybe), with multiple IP addresses.

As Einstein said, "If you can't explain it simply, you don't understand it well enough". So I wont confuse you by adding what is missing from my understanding to your learning curve. But you do need a router to traverse different subnets. That router, has an IP address on each subnet, and the kernel (in the case of Linux), routes the traffic according to the rules set out in the routing tables.

Very nice answer, fukawi1. I kind of saw a challenge in it I could not resist How is this for a short explanation?

A subnet is a network inside which all devices have the same broadcast address.
This allows communication without the assistance of a router.

Example for 192.168.1.0/24:

192.168.1.0 - network name (the first IP in the network)
192.168.1.255 - network broadcast address (the last IP in the network)
192.168.1.1-254 - addresses available for network clients - computers, switches, routers etc.