Iptables INPUT, OUTPUT and FORWARD chains

I believe you are asking the wrong question. eth1 interface is not part of eth0_input, and eth0_output is not part of eth0_forward - although they may be related in your configuration

eth0 and eth1 are interfaces.
eth0_input, eth0_output and eth0_forward are constructs created by your configuration rules, and while descriptive are entirely arbitrary.

Rules are separate to interfaces, although they interact with them.

In general -

Packets destined to the local machine are handled by the INPUT chain. Relatedly, Packets originating from the local machine (ignoring NAT) are handled with the OUTPUT chain.
Packets from other machines behind the router go through the FORWARD chain.

You will most likely find that eth0_forward chain has been used to control what servers & ports are exposed to the Internet, ie traffic originating from eth0 will be traffic from the world, and should only be allowed if - It corresponds to an outbound stream (ie caught by an earlier ESTABLISHED,RELATED rule) or is to a known port on a known system - in which case it should be allowed or rejected before it reaches eth1. THE RULE AS WRITTEN DEALS WITH TRAFFIC FROM THE WORLD BEFORE IT GETS TO THE LAN SIDE OF THE FIREWALL.

davidgo

Posted 2017-11-13T02:01:08.753

Reputation: 49 152

So eth1 is part of the LOCAL machine and hence part of the INPUT and OUTPUT chains? – Jobst – 2017-11-13T22:59:10.827

1Sort of. eth1 is an interface known to the local machine. Its not part of the Input or Output chains - the kernel directs the packet through those chains. It could equally be a tunnel, PPP or VLAN. It is not part of the Input or Output chains. When a packet comes in to eth1 and its destination is known to the local machine, the kernel routes it through the INPUT chain. When a packet originating from the local machine goes out eth1 it is sent through the OUTPUT chain . – davidgo – 2017-11-13T23:03:28.833

Been using iptables for a long time, never thought about the second interface of a two-homed machine as - really - eth0 is the firewall and eth1 is just "a thing" to route the packets to/from the computers behind it. Always thought the second interface of a dual-homed machine would be included by the forward chain ... maybe the netfilter team has to include diagrams about multi-homed machines - or maybe it's just me. – Jobst – 2017-11-13T23:56:59.890

Mmmmh "fundamentally flawed" and "single homed". I can have more than one INPUT chain (one for each interface), I can have two OUTPUT chains (one for each interface) and I can have two FOWARD chains (again one for each interface), also iptables does not care whether its INTERNET or LAN, from the hosts point of few I can still block/unblock each network (if I wish to do so).\ – Jobst – 2017-11-14T01:16:32.560

I'm not wanting to have an argument - I answer this on the assumption you are asking the question to learn - you have 1 INPUT chain per table - so ignoring the Mangle table 1 INPUT chain. You can have multiple rules in a chain - http://www.thegeekstuff.com/2011/01/iptables-fundamentals/ With respect of multihomed and single homed, maybe the most intuitive answer is at https://www.pcmag.com/encyclopedia/term/47460/multihomed

– davidgo – 2017-11-14T01:32:13.077

Well http://www.thegeekstuff.com/2011/01/iptables-fundamentals/ makes the same incorrect assumption as I did: "FORWARD chain – Packet for another NIC on the local server. For packets routed through the local server." ... My question was all about exactly that and not whether my understanding of iptables was fundamentally flawed. There seems to be a misunderstanding for many people about the kernels involvement of getting packages to the second interface.

– Jobst – 2017-11-14T01:41:59.517

Iptables INPUT, OUTPUT and FORWARD chains

Answers