47

CentOS 6.0

I'm studying iptables and am getting confused on the difference between FORWARD and OUTPUT chains. In my training documentation, it states:

If you're appending to (-A) or deleting from (-D) a chain, you'll want to apply it to network data traveling in one of three directions:

  • INPUT - All incoming packets are checked against the rules in this chain.
  • OUTPUT - All outgoing packets are checked against the rules in this chain.
  • FORWARD - All packets being sent to another computer are checked against the rules in this chain.

This confuses me because, in my mind, packets leaving for a host WOULD be outgoing. So are there scenarios where a packet would be going to another computer but NOT be "outgoing"? How would iptables distinguish between the two?

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
Mike B
  • 8,769
  • 24
  • 70
  • 96

2 Answers2

45

OUTPUT is for packets that are emitted by the host. Their destination is usually another host, but can be the same host via the loopback interface, so not all packets that go through OUTPUT are in fact outgoing.

FORWARD is for packets that are neither emitted by the host nor directed to the host. They are the packets that the host is merely routing.

When you start digging into packet mangling and NAT, the full story is rather more complex.

Johnathan J.
  • 3
  • 4
Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
  • 1
    Interesting... so for the purpose of my understanding, is it fair to say that OUTPUT is for packets that are "originating" from the system... and FORWARD is for packets that don't originate from the system or are destined for it and instead are going "through" the system? – Mike B Oct 18 '13 at 00:09
  • 1
    Not quite, packets that are "forwarded" are also "output" by the network interface.. just as packets are "input" before they are "forwarded".. Packet goes in, destined for foreign system, packet enters "forward" chain, iptables decides its OK to forward, packet enters "output chain", iptables checks, see's its "ok" to output, packet leaves.. simples! – Grizly Oct 18 '13 at 01:55
  • 2
    @Grizly No, from memory (I admit I haven't tested specifically when writing this answer) and according to the diagram I link to, a packet always goes through exactly one of the three `filter` chains (`INPUT` or `OUTPUT` or `FORWARD`). (Assuming some other chain doesn't drop it before.) The `mangle` and `nat` chains are different, maybe you were thinking of the `mangle` chain? – Gilles 'SO- stop being evil' Oct 18 '13 at 08:20
6

To my understanding:

INPUT: dst IP is on the host, even it has multiple port with multiple subnet

OUTPUT: src IP is from the host, either port

FORWARD: Neither dst IP on the host nor src IP from the host

enter image description here

For example, to router A

INPUT is:

192.168.10.1 -> 192.168.10.199

192.168.10.1 -> 192.168.2.1

OUTPUT is:

192.168.10.199 -> x.x.x.x

192.168.2.1 -> x.x.x.x

FORWARD is:

192.168.10.1 -> 192.168.2.199

192.168.10.1 -> 192.168.8.1

192.168.10.1 -> 192.168.8.199

flz
  • 83
  • 1
  • 5