linux_forum1 wrote: > Hello, I have 2 questions if that's OK. > > INPUT DROP > FORWARD DROP > OUTPUT DROP > > -N Block > -N Logger > -A INPUT -j Block > -A Block -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j Logger > -A Logger -j LOG --log-level 4 > -A Logger -j DROP > > -A INPUT -i lo -j ACCEPT > -A OUTPUT -o lo -j ACCEPT > > There will be more rules in Block, but I just want to understand the logic. > > 1.) How is -A INPUT -j Block possible before there are any rules appended to > Block, does that mean iptables first searches and assembles all rules that > belong to custom chains regardless of order? Same for Logger.
Everything has an order. You can turn on line numbers and see the order. Creating a chain (Block, Logger) does not put it into order. The jump (-j) to Block, from INPUT, places the chain in order. I note that you don't have a rule in Block to actually drop packets, and you do have a rule in Logger that drops packets. That seems... problematic to me. > 2.) > Would this be OK to log and drop all rules in in Block? > I am worried because there are four jumps, INPUT -> Block -> Logger -> LOG -> > Logger -> DROP In general, you can jump as many times as you like as long as you don't go in a circle. Note that -j LOG continues processing on the next rule in order, unlike ACCEPT, DROP and REJECT. If a chain ends without ACCEPT, DROP or REJECT happening, then when it ends execution picks up at the next statement in order following the jump to that chain. Does that help? -dsr-
