Using the Netfilter hooks the tables provide the functionalities of the packet filter subsystem in Linux. As tables only provide a container for the policy of a specific functionality, some configuration evaluation system is needed. Like many packet filter implementations IPTables uses ACLs for the evaluation mechanism. While other implementations use only one or a limited number of lists, IPTables can have nearly an infinite number of these. The ACLs are called chains in IPTables.
IPTables chains consists of rules which are evaluated from the top (beginning) of the list to the bottom (end). The evaluation stops at the first matching rule if a verdict is set.
| Note |
|---|
It is possible that a rule does not make a verdict on the packet, in that case the evaluation continues. |
The evaluation can jump to another chain and later can return to the original one, however if the packet matches on any of the chains the evaluations stops. Each chain resides in a specific table and controls the policy of that given table.
There are basically two types of chains.
built-in chains
created chains
Every table contains built-in chains for each of the hooks it has. Every packet that a table on a specific hook gets is put on the specific chain of the given table. The evaluation of this chain is the basis of the verdict of the packet. For example, the filter table has three built-in chains: Input, Forward and Output.
Besides built-in chains, it is possible to create new chains to ease the management of the configuration and can direct the packets on these custom chains by jumping on it.
| Note | ||
|---|---|---|
|
It is possible to jump to a chain in another table. A smart organization of chains makes the configuration easier to understand and makes the evaluation faster.
|
Published on March 04, 2024
© BalaSys IT Ltd.
Send your comments to support@balasys.hu
