On 24 Apr 2002, Tony Earnshaw wrote:
> ons, 2002-04-24 kl. 18:41 skrev rpjday:
>
> > i want to clarify that the chain filter:OUTPUT is totally separate
> > from the chain nat:OUTPUT (if i can use that syntax to describe them).
> > is this correct?
>
> Not to my tiny mind. There are 3 distinct and unique chains ...
hang on, let me rephrase this. there are three pre-defined *tables*:
filter, nat and mangle.
within all three tables, there is an OUTPUT chain. all i wanted to
clarify is that these three *chains* are totally distinct, despite
the fact that they have the name OUTPUT, that's all.
>
> > if you look at the /etc/init.d/iptables script in the latest releases
> > of red hat linux (i'm running the latest skipjack beta from red hat),
> > the "stop" excerpt of that script reads:
>
> It don't say that in _my_ /etc/rc.d/init.d/iptables script. Which comes
> with Netfilter. Although I _am_ running RH 7.2.
>
> There it says:
>
> ---
>
> stop() {
> action "Flushing all chains:" iptables -F
> action "Removing user defined chains:" iptables -X
> echo $"Resetting built-in chains to the default ACCEPT policy:"
> iptables -P INPUT ACCEPT && \
> iptables -P FORWARD ACCEPT && \
> iptables -P OUTPUT ACCEPT && \
> success "Resetting built-in chains to the default ACCEPT policy" || \
> failure "Resetting built-in chains to the default ACCEPT policy"
> echo
>
> /bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
> /bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> /bin/echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
>
> rm -f /var/lock/subsys/iptables
> }
obviously, the newer version of iptables that comes with skipjack has
a slightly more complicated structure -- it's version 1.2.5-3, by the
way.
> Why not think of the tables as sharing chains? Or being enclosed in and
> sharing chains?
sure, i have no problem with that, since it sounds effectively as if
they're still separate chains, anyway. six of one, half dozen of the
other.
rday
