Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 83991 - iptables chains wrong/missing
Summary: iptables chains wrong/missing
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Public Beta
Classification: Retired
Component: rhl-rg
Version: phoebe
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Johnray Fuller
QA Contact: Tammy Fox
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-02-10 19:06 UTC by Miloslav Trmac
Modified: 2007-04-18 16:50 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-02-12 17:34:47 UTC


Attachments (Terms of Use)

Description Miloslav Trmac 2003-02-10 19:06:07 UTC
Description of problem:
Section 14. Packet Filtering.
There are two HTML pages (chapters?) dealing with 'filter' table and the
chains INPUT, FORWARD, OUTPUT. The second one gets it right, the first one
doesn't: INPUT and OUTPUT are only for connections involving the local
machine as an endpoint; OUTPUT doesn't include packet received and then
forwarded.

Also, my 'man iptables' states that as of 2.4.18, INPUT, FORWARD and
POSTROUTING chains have been added to the 'mangle' table.

Version-Release number of selected component (if applicable):
rhl-cg(EN)-8.0.93-HTML-RHI(2003-01-16T17:37-0400)

Comment 1 Tammy Fox 2003-02-10 19:18:11 UTC
There isn't a Packet Filtering section in the CG. Perhaps you meant the RG.

Comment 2 Miloslav Trmac 2003-02-10 19:25:48 UTC
True, I got my notes wrong. Sorry about that.

Comment 3 Johnray Fuller 2003-02-12 06:37:21 UTC
Thanks for the feedback.

I am confused, however, by what you mean by 

"There are two HTML pages (chapters?) dealing with 'filter' table and the
chains INPUT, FORWARD, OUTPUT. The second one gets it right, the first one
doesn't

Can you give me page numbers or section headings?

"INPUT and OUTPUT are only for connections involving the local
machine as an endpoint; OUTPUT doesn't include packet received and then
forwarded."

What I have is:

    *INPUT â Applies to packets received via a network interface.

---> So I figured this implied it was an endpoint. I can be more specific.

    *OUTPUT â Applies to packets sent out via the same network interface which
received the packets. 

----> I will change this to  something more in line w/ the man page:

"for locally-generated packets" is what it states


As for the MANGLE tables. There are 3 new chains.

INPUT (for packets  coming  into the box itself), FORWARD (for altering packets
being routed through the box),  and  POSTROUTING  (for  altering packets as they
are about to go out)

I almost missed that!

Thanks for the catches. I will fix the chapter STAT.

I dropped the chapter early in the release cycle, so this may explain the
mangling of the MANGLE table :-)

Johnray







Comment 4 Johnray Fuller 2003-02-12 08:03:54 UTC
Here is the updated text. Does this address all the issues you have raised?

Let me know ASAP as this chapter is final within 48 hours.

Johnray

--------------------
-BEGIN UPDATED TEXT-
--------------------

Each of these tables in turn have a group of built-in chains which correspond to
the actions performed on the packet by the netfilter.

The built-in chains for the filter table are as follows:

    * INPUT â Applies to network packets that are targeted for the host.
    * OUTPUT â Applies to locally-generated network packets.
    * FORWARD â Applies to network packets routed through the host.

The built-in chains for the nat table are as follows:

    * PREROUTING â Alters network packets when they arrive.
    * OUTPUT â Alters locally-generated network packets before they are sent out.
    * POSTROUTING â Alters network packets before they are sent out.

The built-in chains for the mangle table are as follows:

    * INPUT â Alters network packets targeted for the host.
    * OUTPUT â Alters locally-generated network packets before they are sent out.
    * FORWARD â Alters network packets routed through the host.
    * PREROUTING â Alters incoming network packets before they are routed.
    * POSTROUTING â Alters network packets before they are sent out.

Every network packet received by or sent out of a Linux system is subject to at
least one table.

------------------
-END UPDATED TEXT-
------------------

Comment 5 Miloslav Trmac 2003-02-12 15:38:09 UTC
I am confused, however, by what you mean by 

"There are two HTML pages (chapters?) dealing with 'filter' table and the
chains INPUT, FORWARD, OUTPUT. The second one gets it right, the first one
doesn't

Can you give me page numbers or section headings?
My bad:
"Chapter 14. iptables" - the one you have just corrected
"Differences between iptables and ipchains" has had OUTPUT right.

Anyway, the updated text looks fine to me.
Thanks!

Comment 6 Johnray Fuller 2003-02-12 17:34:47 UTC
K, I'm closing this one then.

Thanks!

Johnray


Note You need to log in before you can comment on or make changes to this bug.