A.3.3. Chains

Using the Netfilter hooks the tables provide the functionalities of the packet filter subsystem in Linux. As tables only provide a container for the policy of a specific functionality, some configuration evaluation system is needed. Like many packet filter implementations IPTables uses ACLs for the evaluation mechanism. While other implementations use only one or a limited number of lists, IPTables can have nearly an infinite number of these. The ACLs are called chains in IPTables.

IPTables chains consists of rules which are evaluated from the top (beginning) of the list to the bottom (end). The evaluation stops at the first matching rule if a verdict is set.

Note

It is possible that a rule does not make a verdict on the packet, in that case the evaluation continues.

The evaluation can jump to another chain and later can return to the original one, however if the packet matches on any of the chains the evaluations stops. Each chain resides in a specific table and controls the policy of that given table.

There are basically two types of chains.

  • built-in chains

  • created chains

Every table contains built-in chains for each of the hooks it has. Every packet that a table on a specific hook gets is put on the specific chain of the given table. The evaluation of this chain is the basis of the verdict of the packet. For example, the filter table has three built-in chains: Input, Forward and Output.

Besides built-in chains, it is possible to create new chains to ease the management of the configuration and can direct the packets on these custom chains by jumping on it.

Note

It is possible to jump to a chain in another table. A smart organization of chains makes the configuration easier to understand and makes the evaluation faster.

Example A.1. Chaining

If a chain has 100 rules, in the worst case 100 rules must be evaluated, but if they are separated into 10 sub-chains — which is usually possible — then even in the worst case 20 rules must be evaluated only.