Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

iptables -j vs. -g parameters

From the man page of my distro, I am especially interested in the bold part below.

-j, --jump target

This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is omitted in a rule (and -g is not used), then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incremented.

-g, --goto chain

This specifies that the processing should continue in a user specified chain. Unlike the --jump option return will not continue processing in this chain but instead in the chain that called us via --jump.

I fear I misunderstand what -g actually does.

How exactly is -g now different from -j?

like image 664
sjas Avatar asked Jul 24 '15 09:07

sjas


People also ask

Is iptables being replaced?

nftables is the default and recommended firewalling framework in Debian, and it replaces the old iptables (and related) tools. What is nftables?

Why should I use iptables?

iptables allows the system administrator to define tables containing chains of rules for the treatment of packets. Each table is associated with a different kind of packet processing. Packets are processed by sequentially traversing the rules in chains.

What are the 3 type of chains in iptables?

The three built-in chains of iptables (that is, the chains that affect every packet which traverses a network) are INPUT, OUTPUT, and FORWARD. These chains are permanent and cannot be deleted. The -j target option specifies the location in the iptables ruleset where this particular rule should jump.


1 Answers

When a matched rule in a current chain specifies the target RETURN, or when the end of the current chain is reached, processing continues in the previous chain that jumped to the current chain, traversing it from the next rule that was still not processed, i.e. the rule below the one that actually specified the current chain as its target and triggered the jump to the current chain.

However if the jump to the current chain was done via -g (rather than via -j), processing would not continue in that previous chain, but rather in the chain before that, assuming the jump there was done with -j. If that is also not the case (i.e. even there -g was used), then the chain before that would be taken into account, and so on. In other words, the most recent chain that actually specified the next chain with -j, rather than with -g would be processed next.

If no such chain is found (i.e. all chains up to and including the built-in chain specified -g), or the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the built-in chain policy determines the fate of the packet.

like image 112
Yoel Avatar answered Sep 18 '22 12:09

Yoel