I found the explanation for the IN , FORWARD & OUT chains but I'm still a bit puzzled.

For example IN means going to the router IP address but does that als count for a packet coming from a local address and a packet coming from the wan interface (internet)?

The same question for the FORWARD chain does it als mean packets from a wan address to an addres on my lan and the other way around?

It's simple. Input chain is for packets going to router itself. It happens when their destination is address owned by router. They end up being processed by process running on the router (e.g. SSH or FTP server) or dropped/rejected if they go to closed port. Forward chain is for packets going somewhere else, simply passing though router.

Examples (router has 192.168.1.1):

Packet to 192.168.99.1 -> forward
Packet to 192.168.1.1 -> input

But things can easily change:

Packet to 192.168.1.1 catched by rule in dstnat chain and redirected to 192.168.22.1 -> forward
Packet to 192.168.99.1 catched by rule in dstnat chain and redirected to local address -> input

It's simple. Input chain is for packets going to router itself. It happens when their destination is address owned by router. They end up being processed by process running on the router (e.g. SSH or FTP server) or dropped/rejected if they go to closed port.
t

Does it matter if the packet comes from the wan interface or from a local address?

It's simple. Input chain is for packets going to router itself. It happens when their destination is address owned by router. They end up being processed by process running on the router (e.g. SSH or FTP server) or dropped/rejected if they go to closed port.
t

Does it matter if the packet comes from the wan interface or from a local address?

Not at all. Input means "into the router's own brain" where Forward means "through the router"

Note that rules in the chains can be configured with these criteria:
in-interface
out-interface

These two criteria are how you specify which interface a packet may be received/transmitted, and it's the chain (input, output, forward) which defines the context. So imagine a router with IP 192.168.1.1 on interface ether1, and IP 192.168.2.1 on interface ether2.

If a packet comes from host 192.168.1.19 connected to ether1, and the packet's destination IP is 192.168.1.1, this packet will go into the INPUT chain because it's for the router itself. If the packet is for 192.168.2.1, this packet will also go through the INPUT chain - even though it was received on ether1, and its target IP is on ether2, the packet doesn't get forwarded - it gets processed locally by the router's CPU. If the packet's destination is 192.168.2.2, then this packet will be processed in the FORWARD chain, because it was received from outside the router, and its destination is outside the router.

This also means that if a packet somehow arrives on ether1 with src IP=192.168.1.19 and dst IP = 192.168.1.21 ... even though it will be forwarded right back out the same interface it was received on, it is still considered to be FORWARDED traffic.


These concepts are different than Cisco's access-groups where input means "ingress" and output means "egress" - regardless of whether the target/src was local CPU or some other interface.... These are what the in-interface / out-interface matchers on rules mean.

Its a lot more clearer now thank you zerobyte