Bug 83991

Summary: iptables chains wrong/missing
Product: [Retired] Red Hat Public Beta Reporter: Miloslav Trmac <mitr>
Component: rhl-rgAssignee: Johnray Fuller <jrfuller>
Status: CLOSED CURRENTRELEASE QA Contact: Tammy Fox <tammy.c.fox>
Severity: medium Docs Contact:
Priority: medium    
Version: phoebe   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-02-12 17:34:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miloslav Trmac 2003-02-10 19:06:07 UTC 
Description of problem:
Section 14. Packet Filtering.
There are two HTML pages (chapters?) dealing with 'filter' table and the
chains INPUT, FORWARD, OUTPUT. The second one gets it right, the first one
doesn't: INPUT and OUTPUT are only for connections involving the local
machine as an endpoint; OUTPUT doesn't include packet received and then
forwarded.

Also, my 'man iptables' states that as of 2.4.18, INPUT, FORWARD and
POSTROUTING chains have been added to the 'mangle' table.

Version-Release number of selected component (if applicable):
rhl-cg(EN)-8.0.93-HTML-RHI(2003-01-16T17:37-0400)
Comment 1 Tammy Fox 2003-02-10 19:18:11 UTC 
There isn't a Packet Filtering section in the CG. Perhaps you meant the RG.
Comment 2 Miloslav Trmac 2003-02-10 19:25:48 UTC 
True, I got my notes wrong. Sorry about that.
Comment 3 Johnray Fuller 2003-02-12 06:37:21 UTC 
Thanks for the feedback.

I am confused, however, by what you mean by 

"There are two HTML pages (chapters?) dealing with 'filter' table and the
chains INPUT, FORWARD, OUTPUT. The second one gets it right, the first one
doesn't

Can you give me page numbers or section headings?

"INPUT and OUTPUT are only for connections involving the local
machine as an endpoint; OUTPUT doesn't include packet received and then
forwarded."

What I have is:

    *INPUT â Applies to packets received via a network interface.

---> So I figured this implied it was an endpoint. I can be more specific.

    *OUTPUT â Applies to packets sent out via the same network interface which
received the packets. 

----> I will change this to  something more in line w/ the man page:

"for locally-generated packets" is what it states


As for the MANGLE tables. There are 3 new chains.

INPUT (for packets  coming  into the box itself), FORWARD (for altering packets
being routed through the box),  and  POSTROUTING  (for  altering packets as they
are about to go out)

I almost missed that!

Thanks for the catches. I will fix the chapter STAT.

I dropped the chapter early in the release cycle, so this may explain the
mangling of the MANGLE table :-)

Johnray
Comment 4 Johnray Fuller 2003-02-12 08:03:54 UTC 
Here is the updated text. Does this address all the issues you have raised?

Let me know ASAP as this chapter is final within 48 hours.

Johnray

--------------------
-BEGIN UPDATED TEXT-
--------------------

Each of these tables in turn have a group of built-in chains which correspond to
the actions performed on the packet by the netfilter.

The built-in chains for the filter table are as follows:

    * INPUT â Applies to network packets that are targeted for the host.
    * OUTPUT â Applies to locally-generated network packets.
    * FORWARD â Applies to network packets routed through the host.

The built-in chains for the nat table are as follows:

    * PREROUTING â Alters network packets when they arrive.
    * OUTPUT â Alters locally-generated network packets before they are sent out.
    * POSTROUTING â Alters network packets before they are sent out.

The built-in chains for the mangle table are as follows:

    * INPUT â Alters network packets targeted for the host.
    * OUTPUT â Alters locally-generated network packets before they are sent out.
    * FORWARD â Alters network packets routed through the host.
    * PREROUTING â Alters incoming network packets before they are routed.
    * POSTROUTING â Alters network packets before they are sent out.

Every network packet received by or sent out of a Linux system is subject to at
least one table.

------------------
-END UPDATED TEXT-
------------------
Comment 5 Miloslav Trmac 2003-02-12 15:38:09 UTC 
I am confused, however, by what you mean by 

"There are two HTML pages (chapters?) dealing with 'filter' table and the
chains INPUT, FORWARD, OUTPUT. The second one gets it right, the first one
doesn't

Can you give me page numbers or section headings?
My bad:
"Chapter 14. iptables" - the one you have just corrected
"Differences between iptables and ipchains" has had OUTPUT right.

Anyway, the updated text looks fine to me.
Thanks!
Comment 6 Johnray Fuller 2003-02-12 17:34:47 UTC 
K, I'm closing this one then.

Thanks!

Johnray