I have a question about security in iptables.
Is it safe to give ACCEPT policy to FORWARD chain? I mean, if packet gets there, it has come through PREROUTING table and in PREROUTING you only change destination ip of packet if you "like it".
all packets that get in FORWARD was matched against one of the rules in PREROUTING right?
If a packet does not match any rules in your
PREROUTING
chain, there is nothing to prevent it from hitting yourFORWARD
chain, unless you set the defaultPREROUTING
policy to DROP.Packets only go to the
INPUT
chain if their destination address is an address that belongs to a local interface on your host. Otherwise, they go to theFORWARD
chain, and if they pass that chain AND theip_forward
sysctl is enabled, your system will forward them based on your routing table.Your system may receive packets that are not destined for a local interface. This is how basic routing works: when your system wants to contact, say, Google's dns server at 8.8.8.8, packets are sent to your local default gateway, which receives and routes them even though the destination address is somewhere else entirely.
Your system may explicitly route traffic for physical networks to which it is attached or for containers or virtual machines hosted on the system. All of these involve your system accepting and forwarding packets that do not match a local interface.