Web server hosting - First, let’s look at what happens when a
First, let’s look at what happens when a UDP datagram for one of our hosts is received. Figure 9.5 illustrates the flow through the rules. Figure 9.5: The sequence of rules tested for a received UDP datagram The datagram is received by the input chain and falls through the first two rules because they match ICMP and TCP protocols, respectively. It matches the third rule in the input chain, but it doesn’t specify a target, so its datagram and byte counters are updated, but no other action takes place. The datagram reaches the end of the input chain, meets with the default input chain policy, and is denied. To see our user-defined chain in operation, let’s now consider what happens when we receive a TCP datagram destined for the ssh port of one of our hosts. The sequence is shown in Figure 9.6. Figure 9.6: The rules flow for a received TCP datagram for ssh This time the second rule in the input chain does match and it specifies a target of tcpin, our user-defined chain. Specifying a user-defined chain as a target causes the datagram to be tested against the rules in that chain, so the next rule tested is the first rule in the tcpin chain. The first rule matches any datagram that has a source address outside our local network and specifies no target, so it too is an accounting rule and testing falls through to the next rule. The second rule in our tcpin chain does match and specifies a target of ACCEPT. We have arrived at target, so no further firewall processing occurs. The datagram is accepted. Finally, let’s look at what happens when we reach the end of a user-defined chain. To see this, we’ll map the flow for a TCP datagram destined for a port other than than the two we are handling specifically, as shown in Figure 9.7.