Bug 83991 - iptables chains wrong/missing
iptables chains wrong/missing
Status: CLOSED CURRENTRELEASE
Product: Red Hat Public Beta
Classification: Retired
Component: rhl-rg (Show other bugs)
phoebe
All Linux
medium Severity medium
: ---
: ---
Assigned To: Johnray Fuller
Tammy Fox
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-02-10 14:06 EST by Miloslav Trmac
Modified: 2007-04-18 12:50 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-02-12 12:34:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Miloslav Trmac 2003-02-10 14:06:07 EST
Description of problem:
Section 14. Packet Filtering.
There are two HTML pages (chapters?) dealing with 'filter' table and the
chains INPUT, FORWARD, OUTPUT. The second one gets it right, the first one
doesn't: INPUT and OUTPUT are only for connections involving the local
machine as an endpoint; OUTPUT doesn't include packet received and then
forwarded.

Also, my 'man iptables' states that as of 2.4.18, INPUT, FORWARD and
POSTROUTING chains have been added to the 'mangle' table.

Version-Release number of selected component (if applicable):
rhl-cg(EN)-8.0.93-HTML-RHI(2003-01-16T17:37-0400)
Comment 1 Tammy Fox 2003-02-10 14:18:11 EST
There isn't a Packet Filtering section in the CG. Perhaps you meant the RG.
Comment 2 Miloslav Trmac 2003-02-10 14:25:48 EST
True, I got my notes wrong. Sorry about that.
Comment 3 Johnray Fuller 2003-02-12 01:37:21 EST
Thanks for the feedback.

I am confused, however, by what you mean by 

"There are two HTML pages (chapters?) dealing with 'filter' table and the
chains INPUT, FORWARD, OUTPUT. The second one gets it right, the first one
doesn't

Can you give me page numbers or section headings?

"INPUT and OUTPUT are only for connections involving the local
machine as an endpoint; OUTPUT doesn't include packet received and then
forwarded."

What I have is:

    *INPUT — Applies to packets received via a network interface.

---> So I figured this implied it was an endpoint. I can be more specific.

    *OUTPUT — Applies to packets sent out via the same network interface which
received the packets. 

----> I will change this to  something more in line w/ the man page:

"for locally-generated packets" is what it states


As for the MANGLE tables. There are 3 new chains.

INPUT (for packets  coming  into the box itself), FORWARD (for altering packets
being routed through the box),  and  POSTROUTING  (for  altering packets as they
are about to go out)

I almost missed that!

Thanks for the catches. I will fix the chapter STAT.

I dropped the chapter early in the release cycle, so this may explain the
mangling of the MANGLE table :-)

Johnray





Comment 4 Johnray Fuller 2003-02-12 03:03:54 EST
Here is the updated text. Does this address all the issues you have raised?

Let me know ASAP as this chapter is final within 48 hours.

Johnray

--------------------
-BEGIN UPDATED TEXT-
--------------------

Each of these tables in turn have a group of built-in chains which correspond to
the actions performed on the packet by the netfilter.

The built-in chains for the filter table are as follows:

    * INPUT — Applies to network packets that are targeted for the host.
    * OUTPUT — Applies to locally-generated network packets.
    * FORWARD — Applies to network packets routed through the host.

The built-in chains for the nat table are as follows:

    * PREROUTING — Alters network packets when they arrive.
    * OUTPUT — Alters locally-generated network packets before they are sent out.
    * POSTROUTING — Alters network packets before they are sent out.

The built-in chains for the mangle table are as follows:

    * INPUT — Alters network packets targeted for the host.
    * OUTPUT — Alters locally-generated network packets before they are sent out.
    * FORWARD — Alters network packets routed through the host.
    * PREROUTING — Alters incoming network packets before they are routed.
    * POSTROUTING — Alters network packets before they are sent out.

Every network packet received by or sent out of a Linux system is subject to at
least one table.

------------------
-END UPDATED TEXT-
------------------
Comment 5 Miloslav Trmac 2003-02-12 10:38:09 EST
I am confused, however, by what you mean by 

"There are two HTML pages (chapters?) dealing with 'filter' table and the
chains INPUT, FORWARD, OUTPUT. The second one gets it right, the first one
doesn't

Can you give me page numbers or section headings?
My bad:
"Chapter 14. iptables" - the one you have just corrected
"Differences between iptables and ipchains" has had OUTPUT right.

Anyway, the updated text looks fine to me.
Thanks!
Comment 6 Johnray Fuller 2003-02-12 12:34:47 EST
K, I'm closing this one then.

Thanks!

Johnray

Note You need to log in before you can comment on or make changes to this bug.