How iptables tables and chains are traversed

by

I know linux has 3 built-in tables and each of them has its own chains as follow:

FILTER: PREROUTING, FORWARD, POSTROUTING

NAT: PREROUTING, INPUT, OUTPUT, POSTROUTING

MANGLE: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING

But I can’t understand how they are traversed, in which order, if there is.
For example, how are they traversed when:

  1. I send a packet to a pc in my same local network
  2. when I send a packet to a pc in a different network
  3. when a gateway receives a packet and it has to forward it
  4. when I receive a packet destinated to me
  5. any other case (if any)
Contents hide
Answers:
Method 1

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Wikipedia has a great diagram to show the processing order.

For more details you can also look at the iptables documentation, specifically the traversing of tables and chains chapter. Which also includes a flow diagram.

The order changes dependent on how netfilter is being used (as a bridge or network filter and whether it has interaction with the application layer).

Generally (though there are more devil in the details in the chapter linked above) the chains are processed as:

  • See the INPUT chain as “traffic inbound from outside to this host”.
  • See the FORWARD chain as “traffic that uses this host as a router” (source and destination are not this host).
  • see the OUTPUT chain as “traffic that this host wants to send out”.
  • PREROUTING / POSTROUTING has different uses for each of the table types (for example for the nat tables, PREROUTING is for inbound (routed/forwarded) SNAT traffic and POSTROUTING is for outbound (routed/forwarded) DNAT traffic. Look at the docs for more specifics.

The various tables are:

  • Mangle is to change packets (Type Of Service, Time To Live etc) on traversal.
  • Nat is to put in NAT rules.
  • Raw is to be used for marking and connection tracking.
  • Filter is for filtering packets.

So for your five scenarios:

  1. If the sending host your host with iptables, OUTPUT
  2. The same as above
  3. The FORWARD chain (provided the gateway is the host with iptables)
  4. If “me” is the host with iptables, INPUT
  5. Look at the chain rules above (which is the general rule of thumb) and the flow diagram (and this also varies on what you are trying to achieve with IPTables)


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x