iptables Forward policy doesn't work

Question

I need some help here! Kinda challenging stuff.

I don't know why packets go trough FORWARD chain if I have this configuration:

#set policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#forward with TEE
iptables -t mangle -A PREROUTING -d $HOST1 -p udp --dport 162 -j TEE --gateway $HOST2

The policy should drop everything because is a filter table drop policy on FORWARD chain, but it doesn't, everything goes to $HOST2.

I aplied the configuration above after I flushed all tables. I checked after with "iptables -L" and is there, but doesn't work.

In the future I want to make some "-t filter -A FORWARD" rules but first I must see that it drops everything.

One more question.

Do you think this would work?

#forward with TEE
iptables -t mangle -A PREROUTING -d $HOST1 -p udp --dport 162 -j TEE --gateway $HOST2
iptables -t mangle -A PREROUTING -d $HOST1 -p udp --dport 162 -j TEE --gateway $HOST3

to forward packets to HOST3 ??

Thanks for reading this! Kind regards!

Answer 1

PREROUTING in mangle happens very early. It makes sense to me that you're getting the -j TEE behavior. (BTW: what does your TEE chain look like? Note that this is different than --tee routing option.)

Just take out that TEE rule, and it should drop everything that would otherwise get FORWARDed. Then you should be clear to add your filter rules (make sure to pay close attention to the order the rules are applied in)

For your second Q: it depends on if there is a RETURN statement at the end of the TEE chain. If the packet will get to RETURN, then yes, you'll get the behavior of both rules. Otherwise, it will take the first jump to TEE and not get back to the following rule.