←back to thread

602 points hhutw | 1 comments | | HN request time: 0.001s | source
Show context
elevation ◴[] No.45640290[source]
This place needs more of this kind of documentation.

I failed to use IP tables for years. I bought books. I copied recipes from blog posts. Nothing made sense, everything I did was brittle. Until I finally found a schematic showing the flowchart of a packet through the kernel, which gives the exact order that each rule chain is applied, and where some of the sysctl values are enforced. All of a sudden, I could write rules that did exactly what I wanted, or intelligently choose between rules that have equivalent behaviors in isolation but which could have different performance implications.

After studying the schematic, every would just work on the first try. A good schematic makes a world of difference!

replies(4): >>45640322 #>>45640323 #>>45643938 #>>45648472 #
1. PunchyHamster ◴[] No.45643938[source]
It is also worth mentioning TRACE target that will dump to logs which exact rule the packet hit, it's invaluable big firewalls.