iptables-jump-vs-goto

Raw

[root@localhost iptables]# cat jump-goto.sh

#!/bin/bash

# Flush all chains in filter table
iptables -F
# Delete all user-defined chains in the filter table
iptables -X
# Create a user-defined chain UD_A, UD_B and UD_C
iptables -N UD_A
iptables -N UD_B
iptables -N UD_C

# INPUT
iptables -A INPUT -p icmp -s 192.168.121.1 --icmp-type echo-request -j LOG --log-prefix "INPUT-1:"
iptables -A INPUT -p icmp -s 192.168.121.1 --icmp-type echo-request -j UD_A
iptables -A INPUT -p icmp -s 192.168.121.1 --icmp-type echo-request -j LOG --log-prefix "INPUT-2:"
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -j LOG --log-prefix "INPUT-3:"

# UD_A
iptables -A UD_A -p icmp -s 192.168.121.1 --icmp-type echo-request -j LOG --log-prefix "UD_A-1:"
iptables -A UD_A -p icmp -s 192.168.121.1 --icmp-type echo-request -g UD_B
iptables -A UD_A -p icmp -s 192.168.121.1 --icmp-type echo-request -j LOG --log-prefix "UD_A-2:"

# UD_B
iptables -A UD_B -p icmp -s 192.168.121.1 --icmp-type echo-request -j LOG --log-prefix "UD_B-1:"
iptables -A UD_B -p icmp -s 192.168.121.1 --icmp-type echo-request -j UD_C
iptables -A UD_B -p icmp -s 192.168.121.1 --icmp-type echo-request -j LOG --log-prefix "UD_B-2:"
iptables -A UD_B -p icmp -s 192.168.121.1 --icmp-type echo-request -j RETURN
iptables -A UD_B -p icmp -s 192.168.121.1 --icmp-type echo-request -j LOG --log-prefix "UD_B-3:"

# UD_C
iptables -A UD_C -p icmp -s 192.168.121.1 --icmp-type echo-request -j LOG --log-prefix "UD_C-1:"
iptables -A UD_C -p icmp -s 192.168.121.1 --icmp-type echo-request -j RETURN
iptables -A UD_C -p icmp -s 192.168.121.1 --icmp-type echo-request -j LOG --log-prefix "UD_C-2:"
iptables -A UD_C -p icmp -s 192.168.121.1 --icmp-type echo-request -j ACCEPT
iptables -A UD_C -p icmp -s 192.168.121.1 --icmp-type echo-request -j LOG --log-prefix "UD_C-3:"
iptables -A UD_C -p icmp -s 192.168.121.1 --icmp-type echo-request -j DROP

[root@localhost iptables]#
[root@localhost iptables]# ./jump-goto.sh
[root@localhost iptables]#

Raw

iptables2.md

[root@localhost iptables]# watch iptables -vnL --line
Every 2.0s: iptables -vnL --line                                                                                                  Sun Apr 19 06:08:42 2020

Chain INPUT (policy ACCEPT 9866 packets, 535K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        2   168 LOG        icmp --  *      *       192.168.121.1        0.0.0.0/0            icmptype 8 LOG flags 0 level 4 prefix "INPUT-1:"
2        2   168 UD_A       icmp --  *      *       192.168.121.1        0.0.0.0/0            icmptype 8
3        2   168 LOG        icmp --  *      *       192.168.121.1        0.0.0.0/0            icmptype 8 LOG flags 0 level 4 prefix "INPUT-2:"
4        2   168 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
5        0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 LOG flags 0 level 4 prefix "INPUT-3:"

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 9434 packets, 850K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain UD_A (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        2   168 LOG        icmp --  *      *       192.168.121.1        0.0.0.0/0            icmptype 8 LOG flags 0 level 4 prefix "UD_A-1:"
2        2   168 UD_B       icmp --  *      *       192.168.121.1        0.0.0.0/0           [goto]  icmptype 8
3        0     0 LOG        icmp --  *      *       192.168.121.1        0.0.0.0/0            icmptype 8 LOG flags 0 level 4 prefix "UD_A-2:"

Chain UD_B (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        2   168 LOG        icmp --  *      *       192.168.121.1        0.0.0.0/0            icmptype 8 LOG flags 0 level 4 prefix "UD_B-1:"
2        2   168 UD_C       icmp --  *      *       192.168.121.1        0.0.0.0/0            icmptype 8
3        2   168 LOG        icmp --  *      *       192.168.121.1        0.0.0.0/0            icmptype 8 LOG flags 0 level 4 prefix "UD_B-2:"
4        2   168 RETURN     icmp --  *      *       192.168.121.1        0.0.0.0/0            icmptype 8
5        0     0 LOG        icmp --  *      *       192.168.121.1        0.0.0.0/0            icmptype 8 LOG flags 0 level 4 prefix "UD_B-3:"

Chain UD_C (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        2   168 LOG        icmp --  *      *       192.168.121.1        0.0.0.0/0            icmptype 8 LOG flags 0 level 4 prefix "UD_C-1:"
2        2   168 RETURN     icmp --  *      *       192.168.121.1        0.0.0.0/0            icmptype 8
3        0     0 LOG        icmp --  *      *       192.168.121.1        0.0.0.0/0            icmptype 8 LOG flags 0 level 4 prefix "UD_C-2:"
4        0     0 ACCEPT     icmp --  *      *       192.168.121.1        0.0.0.0/0            icmptype 8
5        0     0 LOG        icmp --  *      *       192.168.121.1        0.0.0.0/0            icmptype 8 LOG flags 0 level 4 prefix "UD_C-3:"

Raw

ping-1.md

[ekc@rhcsa01 ~]$ ping -c 2 192.168.121.225
PING 192.168.121.225 (192.168.121.225) 56(84) bytes of data.
64 bytes from 192.168.121.225: icmp_seq=1 ttl=64 time=48.3 ms
64 bytes from 192.168.121.225: icmp_seq=2 ttl=64 time=58.4 ms

--- 192.168.121.225 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 48.371/53.433/58.495/5.062 ms
[ekc@rhcsa01 ~]$

Raw

ping2.md

[ekc@rhcsa01 ~]$ ping -c 2 192.168.121.225
PING 192.168.121.225 (192.168.121.225) 56(84) bytes of data.

--- 192.168.121.225 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1000ms

[ekc@rhcsa01 ~]$

ekc/iptables1.md