How does Iptables ........

How does iptables rules work? Does it read all the rules and if non
matches applies the default rule (iptables -P Chain -j rule) or it
executes the rule according to the order in which they are arranged.

On Thu, 28 Jul 2005 11:24:37 -0700, (E-Mail Removed) wrote:

> How does iptables rules work? Does it read all the rules and if non
> matches applies the default rule (iptables -P Chain -j rule) or it
> executes the rule according to the order in which they are arranged.

It starts at the first rule in the chain and progresses down. If it
encounters a -j rule (except -j LOG) it jumps to that target, and ignores
the rest of the chain. If it falls off the bottom of the chain the policy
(-P) is applied.

Regards, Ian

Ian Northeast <(E-Mail Removed)> wrote in
news(E-Mail Removed):

> On Thu, 28 Jul 2005 11:24:37 -0700, (E-Mail Removed) wrote:
>
>> How does iptables rules work? Does it read all the rules and if non
>> matches applies the default rule (iptables -P Chain -j rule) or it
>> executes the rule according to the order in which they are arranged.
>
> It starts at the first rule in the chain and progresses down. If it
> encounters a -j rule (except -j LOG) it jumps to that target, and
> ignores the rest of the chain. If it falls off the bottom of the chain
> the policy (-P) is applied.
>
> Regards, Ian
>
>

A comment on this. It is a good idea to have a rule that accepts
continuation packets as early in the chain as possible. That way the
bulk of traffic (assuming that most packets are part of an existing
connection) is dealt with using the minimum processing overhead. So you
want a rule like:

IPTABLES -A <chain name> -m state --state RELATED,ESTABLISHED -j ACCEPT

Hit as early on as possible.

Klazmon.