Subject: Re: [44net] firewall rules at AMPR.ORG router ? From: R P ronenp@hotmail.com Date: 04/08/2016 08:50 PM

To: AMPRNet working group 44net@hamradio.ucsd.edu

and if we talk on explain what is forward chain ? in and out i can understand but forward? and also there are a lot of commands in the action that i dont understand beside reject drop accept Where can i find description ?

I forgot to mention this in yesterday's reply:

In the "iptables" firewall, "forward" is the path that packets take through a router. It does not work as in a Cisco, where "forward" is just "input" followed by "output". "input" and "output" refer to traffic to/from the router itself, like the management interface and the processing of packets by the router e.g. for a tunnel that it has to encapsulate/decapsulate, but when packets are just routed they only pass through the "forward" table and not the "input" and "output" table. This can also be seen in the diagram that Marius posted.

The actions in the entry can do other things than accepting/rejecting, e.g. logging the packet. Also a nice action that is notably missing from Cisco access lists is "jump". You can make your own table and put some rules in it that are required only for one interface or in one particular situation, then in the normal input (or forward) table you can match on that interface or situation and jump to your custom table. That way you do not need to put all rules in one long input table, and you can improve clarity and performance.

For example, in an IPIP router you have rules you want to apply to the external interface, and rules you want to apply to the tunnel interface (which receives traffic for 44-address). You can put these in a separate table and make it easier to manage.

Rob