iptables script

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
 i am new in iptables,
when writing a iptables script..
we put rules in the INPUT or FORWARD or POSTROUTING..
so which one is best..

please advice.

Re: iptables script

Hash: SHA1

kenz wrote:
Quoted text here. Click to load it

"best" for what?

- --

Lew Pitcher, IT Specialist, Corporate Technology Solutions,
Enterprise Technology Solutions, TD Bank Financial Group

(Opinions expressed here are my own, not my employer's)
Version: GnuPG v1.4.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Re: iptables script

Each one has different functionalities. First you need to know the
usage and depends on ur usage you can choose them.

INPUT, FORWARD, POSTROUTING, PREROUTING.... all these are filters.

INPUT will filter the incoming packets,
FORWARD will filter the packets that are being forwarded.
POSTROUTING will filter the packets on POST route.

For more information take a look at

Re: iptables script

i bit confuse on INPUT and FORWARD..
it for filter the incoming packets..
does it mean it filtering the incoming packet from external network and
LAN ??


Re: iptables script

INPUT will filter the packets from external IP/network which ever is
configured. It can be either from the same netwrok or from different

Re: iptables script

so u mean where
iptables -A INPUT -i $LAN_ETH ....... or
iptables -A INPUT -s $LAN_IPRANGE ......
is filtering the incoming packet from Local Network

iptables -A INPUT -i $EXT_ETH.......
is filtering the incoming packet from internet

Re: iptables script

probably yes.

Re: iptables script

Quoted text here. Click to load it

INPUT is the chain for packets dedicated to the host, on which the
netfilter is running.  Anything else will be handled by FORWARD.  This
means, if a packet arrives, which wasn't dedicated to your host, then
it's processed by the FORWARD chain, before it's routed to the actual
target.  After the final IP address is found (after NAT probably), the
POSTROUTING chain comes into play.  This is effectively the last stage
for packets, which need to be forwarded.

Quoted text here. Click to load it

Linux doesn't differentiate between 'LAN' and 'internet' for example.
It receives packets and then decides what to do.  This decision is based
on the source and destination addresses of those packets, and the
interface where it arrives (e.g. ppp0 or eth0).  By default, there is no
special treatment for the source data (address, interface).

If your host has the IP address and a packet with the
destination address arrives, then this packet is handled by
FORWARD instead of INPUT.


Site Timeline