How iptables tables and chains are traversed
Clash Royale CLAN TAG#URR8PPP
up vote
15
down vote
favorite
I know linux has 3 built-in tables and each of them has its own chains as follow:
FILTER: PREROUTING, FORWARD, POSTROUTING
NAT: PREROUTING, INPUT, OUTPUT, POSTROUTING
MANGLE: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING
But I can't understand how they are traversed, in which order, if there is.
For example, how are they traversed when:
- I send a packet to a pc in my same local network
- when I send a packet to a pc in a different network
- when a gateway receives a packet and it has to forward it
- when I receive a packet destinated to me
- any other case (if any)
iptables firewall
asked Mar 13 '15 at 9:06
zer0uno
3383614
add a comment |Â
up vote
15
down vote
favorite
I know linux has 3 built-in tables and each of them has its own chains as follow:
FILTER: PREROUTING, FORWARD, POSTROUTING
NAT: PREROUTING, INPUT, OUTPUT, POSTROUTING
MANGLE: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING
But I can't understand how they are traversed, in which order, if there is.
For example, how are they traversed when:
- I send a packet to a pc in my same local network
- when I send a packet to a pc in a different network
- when a gateway receives a packet and it has to forward it
- when I receive a packet destinated to me
- any other case (if any)
iptables firewall
asked Mar 13 '15 at 9:06
zer0uno
3383614
add a comment |Â
up vote
15
down vote
favorite
up vote
15
down vote
favorite
I know linux has 3 built-in tables and each of them has its own chains as follow:
FILTER: PREROUTING, FORWARD, POSTROUTING
NAT: PREROUTING, INPUT, OUTPUT, POSTROUTING
MANGLE: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING
But I can't understand how they are traversed, in which order, if there is.
For example, how are they traversed when:
- I send a packet to a pc in my same local network
- when I send a packet to a pc in a different network
- when a gateway receives a packet and it has to forward it
- when I receive a packet destinated to me
- any other case (if any)
iptables firewall
asked Mar 13 '15 at 9:06
zer0uno
3383614
I know linux has 3 built-in tables and each of them has its own chains as follow:
FILTER: PREROUTING, FORWARD, POSTROUTING
NAT: PREROUTING, INPUT, OUTPUT, POSTROUTING
MANGLE: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING
But I can't understand how they are traversed, in which order, if there is.
For example, how are they traversed when:
- I send a packet to a pc in my same local network
- when I send a packet to a pc in a different network
- when a gateway receives a packet and it has to forward it
- when I receive a packet destinated to me
- any other case (if any)
iptables firewall
iptables firewall
asked Mar 13 '15 at 9:06
zer0uno
3383614
asked Mar 13 '15 at 9:06
zer0uno
3383614
asked Mar 13 '15 at 9:06
zer0uno
3383614
asked Mar 13 '15 at 9:06
zer0uno
3383614
asked Mar 13 '15 at 9:06
zer0uno
3383614
3383614
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
21
down vote
accepted
Wikipedia has a great diagram to show the processing order.
For more details you can also look at the iptables documentation, specifically the traversing of tables and chains chapter. Which also includes a flow diagram.
The order changes dependent on how netfilter is being used (as a bridge or network filter and whether it has interaction with the application layer).
Generally (though there are more devil in the details in the chapter linked above) the chains are processed as:
- See the INPUT chain as "traffic inbound from outside to this host".
- See the FORWARD chain as "traffic that uses this host as a router" (source and destination are not this host).
- see the OUTPUT chain as "traffic that this host wants to send out".
- PREROUTING / POSTROUTING has different uses for each of the table types (for example for the nat tables, PREROUTING is for inbound (routed/forwarded) SNAT traffic and POSTROUTING is for outbound (routed/forwarded) DNAT traffic. Look at the docs for more specifics.
The various tables are:
- Mangle is to change packets (Type Of Service, Time To Live etc) on traversal.
- Nat is to put in NAT rules.
- Raw is to be used for marking and connection tracking.
- Filter is for filtering packets.
So for your five scenarios:
- If the sending host your host with iptables, OUTPUT
- The same as above
- The FORWARD chain (provided the gateway is the host with iptables)
- If "me" is the host with iptables, INPUT
- Look at the chain rules above (which is the general rule of thumb) and the flow diagram (and this also varies on what you are trying to achieve with IPTables)
answered Mar 13 '15 at 9:14
Drav Sloan
9,20023038
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
21
down vote
accepted
Wikipedia has a great diagram to show the processing order.
For more details you can also look at the iptables documentation, specifically the traversing of tables and chains chapter. Which also includes a flow diagram.
The order changes dependent on how netfilter is being used (as a bridge or network filter and whether it has interaction with the application layer).
Generally (though there are more devil in the details in the chapter linked above) the chains are processed as:
- See the INPUT chain as "traffic inbound from outside to this host".
- See the FORWARD chain as "traffic that uses this host as a router" (source and destination are not this host).
- see the OUTPUT chain as "traffic that this host wants to send out".
- PREROUTING / POSTROUTING has different uses for each of the table types (for example for the nat tables, PREROUTING is for inbound (routed/forwarded) SNAT traffic and POSTROUTING is for outbound (routed/forwarded) DNAT traffic. Look at the docs for more specifics.
The various tables are:
- Mangle is to change packets (Type Of Service, Time To Live etc) on traversal.
- Nat is to put in NAT rules.
- Raw is to be used for marking and connection tracking.
- Filter is for filtering packets.
So for your five scenarios:
- If the sending host your host with iptables, OUTPUT
- The same as above
- The FORWARD chain (provided the gateway is the host with iptables)
- If "me" is the host with iptables, INPUT
- Look at the chain rules above (which is the general rule of thumb) and the flow diagram (and this also varies on what you are trying to achieve with IPTables)
answered Mar 13 '15 at 9:14
Drav Sloan
9,20023038
add a comment |Â
up vote
21
down vote
accepted
Wikipedia has a great diagram to show the processing order.
For more details you can also look at the iptables documentation, specifically the traversing of tables and chains chapter. Which also includes a flow diagram.
The order changes dependent on how netfilter is being used (as a bridge or network filter and whether it has interaction with the application layer).
Generally (though there are more devil in the details in the chapter linked above) the chains are processed as:
- See the INPUT chain as "traffic inbound from outside to this host".
- See the FORWARD chain as "traffic that uses this host as a router" (source and destination are not this host).
- see the OUTPUT chain as "traffic that this host wants to send out".
- PREROUTING / POSTROUTING has different uses for each of the table types (for example for the nat tables, PREROUTING is for inbound (routed/forwarded) SNAT traffic and POSTROUTING is for outbound (routed/forwarded) DNAT traffic. Look at the docs for more specifics.
The various tables are:
- Mangle is to change packets (Type Of Service, Time To Live etc) on traversal.
- Nat is to put in NAT rules.
- Raw is to be used for marking and connection tracking.
- Filter is for filtering packets.
So for your five scenarios:
- If the sending host your host with iptables, OUTPUT
- The same as above
- The FORWARD chain (provided the gateway is the host with iptables)
- If "me" is the host with iptables, INPUT
- Look at the chain rules above (which is the general rule of thumb) and the flow diagram (and this also varies on what you are trying to achieve with IPTables)
answered Mar 13 '15 at 9:14
Drav Sloan
9,20023038
add a comment |Â
up vote
21
down vote
accepted
up vote
21
down vote
accepted
Wikipedia has a great diagram to show the processing order.
For more details you can also look at the iptables documentation, specifically the traversing of tables and chains chapter. Which also includes a flow diagram.
The order changes dependent on how netfilter is being used (as a bridge or network filter and whether it has interaction with the application layer).
Generally (though there are more devil in the details in the chapter linked above) the chains are processed as:
- See the INPUT chain as "traffic inbound from outside to this host".
- See the FORWARD chain as "traffic that uses this host as a router" (source and destination are not this host).
- see the OUTPUT chain as "traffic that this host wants to send out".
- PREROUTING / POSTROUTING has different uses for each of the table types (for example for the nat tables, PREROUTING is for inbound (routed/forwarded) SNAT traffic and POSTROUTING is for outbound (routed/forwarded) DNAT traffic. Look at the docs for more specifics.
The various tables are:
- Mangle is to change packets (Type Of Service, Time To Live etc) on traversal.
- Nat is to put in NAT rules.
- Raw is to be used for marking and connection tracking.
- Filter is for filtering packets.
So for your five scenarios:
- If the sending host your host with iptables, OUTPUT
- The same as above
- The FORWARD chain (provided the gateway is the host with iptables)
- If "me" is the host with iptables, INPUT
- Look at the chain rules above (which is the general rule of thumb) and the flow diagram (and this also varies on what you are trying to achieve with IPTables)
answered Mar 13 '15 at 9:14
Drav Sloan
9,20023038
Wikipedia has a great diagram to show the processing order.
For more details you can also look at the iptables documentation, specifically the traversing of tables and chains chapter. Which also includes a flow diagram.
The order changes dependent on how netfilter is being used (as a bridge or network filter and whether it has interaction with the application layer).
Generally (though there are more devil in the details in the chapter linked above) the chains are processed as:
- See the INPUT chain as "traffic inbound from outside to this host".
- See the FORWARD chain as "traffic that uses this host as a router" (source and destination are not this host).
- see the OUTPUT chain as "traffic that this host wants to send out".
- PREROUTING / POSTROUTING has different uses for each of the table types (for example for the nat tables, PREROUTING is for inbound (routed/forwarded) SNAT traffic and POSTROUTING is for outbound (routed/forwarded) DNAT traffic. Look at the docs for more specifics.
The various tables are:
- Mangle is to change packets (Type Of Service, Time To Live etc) on traversal.
- Nat is to put in NAT rules.
- Raw is to be used for marking and connection tracking.
- Filter is for filtering packets.
So for your five scenarios:
- If the sending host your host with iptables, OUTPUT
- The same as above
- The FORWARD chain (provided the gateway is the host with iptables)
- If "me" is the host with iptables, INPUT
- Look at the chain rules above (which is the general rule of thumb) and the flow diagram (and this also varies on what you are trying to achieve with IPTables)
answered Mar 13 '15 at 9:14
Drav Sloan
9,20023038
edited Mar 13 '15 at 9:41
answered Mar 13 '15 at 9:14
Drav Sloan
9,20023038
answered Mar 13 '15 at 9:14
Drav Sloan
9,20023038
answered Mar 13 '15 at 9:14
Drav Sloan
9,20023038
9,20023038
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f189905%2fhow-iptables-tables-and-chains-are-traversed%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
