LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-05-2014, 04:43 PM   #1
Beorn1357
LQ Newbie
 
Registered: May 2014
Distribution: CentOS 6.x
Posts: 7

Rep: Reputation: Disabled
Custom chains for IPTables


I'd like to make some custom chains for IPTables. The documentations says this:

-N, --new-chain chain
Create a new user-defined chain by the given name. There must be no target of that name already.

So if I use the following it will create a new chain named 'NEWCHAIN'.

iptables -N NEWCHAIN

The new chain appears in the INPUT filter. What if I wanted to create a new chain in the FORWARD filter instead? I can't seem to find any documentation on that. Is it even possible or are all custom chains that are not limited to the INPUT filter? If it is possible, could you give me an example or two? Thanks.
 
Old 09-06-2014, 04:37 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by Beorn1357 View Post
So if I use the following it will create a new chain named 'NEWCHAIN'. iptables -N NEWCHAIN The new chain appears in the INPUT filter.
No it doesn't. As 'iptables-save' output should show the chain appears as standalone item. So just like you would have traffic flowing through the filter table INPUT chain to locally defined chains so would you use this in the FORWARD chain:
Code:
# Example
-N NEWCHAIN
-A FORWARD -d 10.0.1/24 -j NEWCHAIN
-A NEWCHAIN -j LOG
For more nfo see https://www.frozentux.net/documents/iptables-tutorial/
 
Old 09-06-2014, 08:49 AM   #3
Beorn1357
LQ Newbie
 
Registered: May 2014
Distribution: CentOS 6.x
Posts: 7

Original Poster
Rep: Reputation: Disabled
Okay I think I get it. I was just making assumptions. That makes sense now. I remember that the created chain had to have a unique name and that explains why. So the chain itself exists independent of the standard filters, what qualifies as to what it filters is what criteria you match to send it to the custom chain.

So one follow up question. Does that mean you can have multiple statements with matching criteria that send traffic to the same custom chain? For example could you have both of these theoretically?

-A FORWARD -d 10.0.0.0/24 -j NEWCHAIN and
-A OUTPUT -d 10.0.0.0/24 -j NEWCHAIN

Last edited by Beorn1357; 09-06-2014 at 08:54 AM.
 
Old 09-06-2014, 10:18 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by Beorn1357 View Post
Does that mean you can have multiple statements with matching criteria that send traffic to the same custom chain? For example could you have both of these theoretically?

-A FORWARD -d 10.0.0.0/24 -j NEWCHAIN and
-A OUTPUT -d 10.0.0.0/24 -j NEWCHAIN
Sure as long as you're aware of how / what traffic flows through chains: do check out the frozentux tutorial.
 
Old 09-06-2014, 10:21 AM   #5
Beorn1357
LQ Newbie
 
Registered: May 2014
Distribution: CentOS 6.x
Posts: 7

Original Poster
Rep: Reputation: Disabled
Coolness. Thanks man.
 
Old 09-07-2014, 05:12 AM   #6
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897
One place that you might want to look (in addition to the frozentux tut, of course) is Linuxhomenetworking, more specifically CH14, section 8. The guy that did the that is an advocate of short, stubby chains for efficiency purposes, and there will probably be a number of well-worked examples that you can look at.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables and chains giobaxx Linux - Networking 3 07-23-2013 06:06 PM
Iptables Chains Harish Meeran Linux - Security 1 01-29-2010 05:40 AM
IPTables Layered Chains jmoschetti45 Linux - Security 9 01-17-2010 06:35 PM
Custom chains in Iptables colucix Linux - Networking 2 07-11-2008 09:04 AM
creation of new iptables chains !!!! gabsik Linux - Security 6 05-25-2006 07:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration