Re: [44net] firewall rules at AMPR.ORG router ?

I forgot to mention this in yesterday's reply: In the "iptables" firewall, "forward" is the path that packets take through a router. It does not work as in a Cisco, where "forward" is just "input" followed by "output". "input" and "output" refer to traffic to/from the router itself, like the management interface and the processing of packets by the router e.g. for a tunnel that it has to encapsulate/decapsulate, but when packets are just routed they only pass through the "forward" table and not the "input" and "output" table. This can also be seen in the diagram that Marius posted. The actions in the entry can do other things than accepting/rejecting, e.g. logging the packet. Also a nice action that is notably missing from Cisco access lists is "jump". You can make your own table and put some rules in it that are required only for one interface or in one particular situation, then in the normal input (or forward) table you can match on that interface or situation and jump to your custom table. That way you do not need to put all rules in one long input table, and you can improve clarity and performance. For example, in an IPIP router you have rules you want to apply to the external interface, and rules you want to apply to the tunnel interface (which receives traffic for 44-address). You can put these in a separate table and make it easier to manage. Rob