[wplug] iptables

[James O'Kane]

On Mon, 8 Dec 2003, Jason Dunn wrote:

> Hey everyone, I was wondering if anyone could help me out with a 
> question?  - No that wasn't the question.  Does anyone know what the 
> purpose of a user-defined chain is in iptables?  I've only seen a 
> handful of comments about them on the net, but none of them say what 
> it's really for.  Can you give me an example as to what it would be 
> useful for?

I think of them as similar to function calls in programming languages. 
They allow you to consolidate similar rules. In a single machine setup, 
I'm not sure they are as useful, but I can think of several in the case 
where the machine running iptables is a filewall between a group of 
machines and the world. 

To use an example from work, I have a group of 80 machines that I want to 
add a rule to periodically, in this case, I want to add a -j MARK so 
they'll match later rules I have, but sometimes I want to add other rules 
to the group. What I did was add a user-defined table which I'll call 
group1, then in the PREROUTING of the mangle table, I add a -j group1 for 
each IP of those 80 machines.
In the group1 table, I can add and remove a single -j MARK rule and it 
affects all 80 machines instead.

Eventually I plan to clean up this example and add it to my IPTables talk, 
but I haven't had time yet.

Another use might be if you wanted to block incoming port 25 to a group of 
machines that are known spammers, instead of adding explicit rules that 
match each mail server to each spammer, you could arrange for each 
mailserver's traffic to follow a userdefined chain that lists all of the 
spammer's IP addresses. (Note: This should probably only be done in an 
extreme case, as it could block other legitimate access.)

-james