I have a fundamental question about which chain a packet is processed by after you tell it to forward.

I have a packet that comes in on Eth1 from my internal LAN.
/sbin/ipchains -A input -j ACCEPT -i eth0 -s $IntLANIP -d 0/0
I need to forwarded it to Eth0 and masq it, so it can get to the internet. So I do this.
/sbin/ipchains -A forward -j MASQ -s $IntLANIP -d 0/0

Here's where I am lost. Does it get picked up by the eth0 output chain, eth0 input chain, lo (local interface) input chain, or is it just sent out without going through any more chains?

What makes sense to me is that the forwarded packet would be sent to the other interface on the other interface's input chain. This is why I put eth0 input as a possible target.

One problem with that is that the ascii art diagram from the IP Chain howto doesn't show it that way. I see it states it goes to the output chain, it just doesn't say which output chain.

My confusion stems from this assumption that one interface's output chain is separate from another interface's output chain. Is this wrong? Is there instead only one giant output chain for everything going out of the box?

I've read the netfilter hacking how to, was there a corresponding version for IPChains? That might provide the nitty gritty detail I need to understand this.
thanks,
linlu :confused:

After a rule is matched, it goes to the next
step. The -i flag states which interface the rule is for, not where it is going. If seperate internal/external interface rules are not required, just drop the -i part. To masq the packet you should do something like:

/sbin/ipchains -A forward -i eth0 -j MASQ -s $IntLANIP -d 0/0

all the input rules are on one chain
all the output rules are on the next chain.
all the forward rules are on the next chain.

I use separte interface rules for all my stuff. Yes it can be a lot of similar rules,
but can be a god send when you have 2+ interfaces.