What is a chain in iptables?

Question

Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.

Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target', which may be a jump to a user-defined chain in the same table.

How shall I understand the concept of a chain?

Is a chain a fixed list of rules?

How shall I define/specify and use a chain? For example,

-A, --append chain rule-specification

Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination.

In the following command is INPUT the name of a chain? Is it a name that I can give arbitrarily? Does this chain have exactly two rules? Thanks.

iptables -A INPUT -p tcp -s localhost --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j DROP

Answer 1

Iptables chains are just lists of rules, processed in order. They can be one of the fixed built-in ones (INPUT, OUTPUT, FORWARD in the default filter table, some others in e.g. the nat table), or user-defined ones, which can then be called from others.

As the -A (append), -I (insert) and -D (delete) commands imply, the rules in the chains are freely editable, they're not fixed.

In the following command is INPUT the name of a chain?

Yes.

Is it a name that I can give arbitrarily?

That one isn't, it's the built-in chain that contains rules for packets entering the system (destined for processes running on the host). The other two in the default filter table are OUTPUT (packets coming from the system, obviously), and FORWARD (routed packets).

The man page iptables(8) has the descriptions of the tables and their built-in chains (under TABLES).

Of course you could place any rules for input packets in an arbitrary user-defined chain, then you'd just need to add a rule to INPUT referring to that chain. (e.g. iptables -A INPUT -j mychain would jump to mychain and process any rules there.)

Does this chain have exactly two rules?

We don't know that. Those two commands append two rules to the chain. But there might be others that were already there before those commands were run.

If you had iptables -F INPUT as the first command before those two, then the result would be that only those two rules remained.

See also: How iptables tables and chains are traversed which contain links to all you never needed to know about this, e.g. https://stuffphilwrites.com/2014/09/iptables-processing-flowchart/. (You may want to ignore the raw and mangle tables to start with, they're that often needed.)