given that i'm determined to get a handle on iptables in some detail,
i'm probably going to have a number of picky questions about parts that
confuse me. and here's the first.
as i read it, there are three pre-defined tables -- filter, nat and
mangle -- and for all of the iptables commands i see, the default table
is "filter." as i read it, the filter table has three predefined
chains -- INPUT, OUTPUT and FORWARD. similarly, the nat table has
three predefined -- OUTPUT, PREROUTING and POSTROUTING. so first,
i want to clarify that the chain filter:OUTPUT is totally separate
from the chain nat:OUTPUT (if i can use that syntax to describe them).
is this correct? it's easy to list these with:
# iptables -L (filter chain)
# iptables -t nat -L
(don't worry, it gets more complicated. i'm just starting easy.)
now consider the mangle table, whose chains you can see with:
# iptables -t mangle -L
(prints PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING)
once again, i'm assuming that these chains are totally distinct from
the chains of the same name in the other tables, right? but this leads
to a puzzling inconsistency.
if you look at the /etc/init.d/iptables script in the latest releases
of red hat linux (i'm running the latest skipjack beta from red hat),
the "stop" excerpt of that script reads:
stop() {
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains; do iptables -t $i -F; done && \
success $"Flushing all chains:" || \
failure $"Flushing all chains:"
for i in $chains; do iptables -t $i -X; done && \
success $"Removing user defined chains:" || \
failure $"Removing user defined chains:"
echo -n $"Resetting built-in chains to the default ACCEPT policy:"
iftable filter -P INPUT ACCEPT && \
iftable filter -P OUTPUT ACCEPT && \
iftable filter -P FORWARD ACCEPT && \
iftable nat -P PREROUTING ACCEPT && \
iftable nat -P POSTROUTING ACCEPT && \
iftable nat -P OUTPUT ACCEPT && \
iftable mangle -P PREROUTING ACCEPT && \
iftable mangle -P OUTPUT ACCEPT && \
success $"Resetting built-in chains to the default ACCEPT policy" || \
failure $"Resetting built-in chains to the default ACCEPT policy"
echo
rm -f /var/lock/subsys/iptables
}
note that after flushing and deleting chains, the stop() function
explicitly sets to ACCEPT the policies of all three "filter" chains,
all three "nat" chains, but only the PREROUTING and OUTPUT chains of
"mangle". i'm just curious why it doesn't process all five chains of
the "mangle" table. any reason for that? i'm just trying to get a
coherent picture of how these things happen.
rday
