35

I know linux has 3 built-in tables and each of them has its own chains as follow:

FILTER: PREROUTING, FORWARD, POSTROUTING

NAT: PREROUTING, INPUT, OUTPUT, POSTROUTING

MANGLE: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING

But I can't understand how they are traversed, in which order, if there is. For example, how are they traversed when:

  1. I send a packet to a pc in my same local network
  2. when I send a packet to a pc in a different network
  3. when a gateway receives a packet and it has to forward it
  4. when I receive a packet destinated to me
  5. any other case (if any)
zer0uno
  • 1,283

2 Answers2

44

Wikipedia has a great diagram to show the processing order.

For more details you can also look at the iptables documentation, specifically the traversing of tables and chains chapter. Which also includes a flow diagram.

The order changes dependent on how netfilter is being used (as a bridge or network filter and whether it has interaction with the application layer).

Generally (though there are more devil in the details in the chapter linked above) the chains are processed as:

  • See the INPUT chain as "traffic inbound from outside to this host".
  • See the FORWARD chain as "traffic that uses this host as a router" (source and destination are not this host).
  • see the OUTPUT chain as "traffic that this host wants to send out".
  • PREROUTING / POSTROUTING has different uses for each of the table types (for example for the nat tables, PREROUTING is for inbound (routed/forwarded) SNAT traffic and POSTROUTING is for outbound (routed/forwarded) DNAT traffic. Look at the docs for more specifics.

The various tables are:

  • Mangle is to change packets (Type Of Service, Time To Live etc) on traversal.
  • Nat is to put in NAT rules.
  • Raw is to be used for marking and connection tracking.
  • Filter is for filtering packets.

So for your five scenarios:

  1. If the sending host your host with iptables, OUTPUT
  2. The same as above
  3. The FORWARD chain (provided the gateway is the host with iptables)
  4. If "me" is the host with iptables, INPUT
  5. Look at the chain rules above (which is the general rule of thumb) and the flow diagram (and this also varies on what you are trying to achieve with IPTables)
slm
  • 369,824
Drav Sloan
  • 14,345
  • 4
  • 45
  • 43
  • I also recently came across this link - https://stuffphilwrites.com/2014/09/iptables-processing-flowchart/. There's a nice flowchart there by Phil Hagen. – slm Oct 26 '18 at 01:50
  • 3
    Another good resource - https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture. – slm Oct 26 '18 at 01:59
  • @slm But beware that the Digital Ocean article you linked to is incorrect when it describes the traversing of tables and chains. The table in the article says that the INPUT chain order is mangle/INPUT, filter/INPUT, nat/INPUT but the correct order (see the Wikipedia diagram) is mangle/INPUT, nat/INPUT, filter/INPUT (I've left out the security table to be concise). – Andrew Bate Oct 06 '21 at 14:30
  • @slm Actually, I was wrong. The Digital Ocean article is correct, and it is the Wikipedia article that is wrong. See my comments on this ServerFault question for why. I have checked the priorities assigned to nat/INPUT and filter/INPUT in the source code and the Wikipedia diagram is definitely wrong. – Andrew Bate Oct 06 '21 at 22:52
  • 1
    Also, I just noticed that the flow chart by Phil Hagen that you linked to disagrees with the Wikipedia diagram on the order of filter/INPUT and nat/INPUT. Having looked at the netfiler source code, I believe that Phil Hagen's diagram is correct. – Andrew Bate Oct 06 '21 at 23:02
  • @AndrewBate might be worth pinging Phil on his blog about it. He maintains that material for a SANS class he teaches. Should get it updated in Wikipedia too. – slm Oct 06 '21 at 23:20
  • Note that the examples about the PREROUTING and POSTROUTING are mixed up - SNAT is used with POSTROUTING and DNAT is used with PREROUTING (as per the documentation of iptables in the link you supplied https://rlworkman.net/howtos/iptables/chunkyhtml/c962.html) – Yarden Dec 31 '22 at 05:48
2

Fwiw, I have adapted Phil Hagen's flowchart (as mentioned by @slm in a previous answer) to the below ascii flowchart.

network  ->  PREROUTING  ->  routing  ->  INPUT  ------->  process
               raw           decision       mangle
               (conntrack)   |              filter
               mangle        |              security
               nat(*)        |              nat
                             V
                             FORWARD  ----\
                              mangle      |
                              filter      |
                              security    |
                                          V
process  ->  OUTPUT  ------------------>  POSTROUTING  ->  network
               (routing decision??)         mangle
               raw                          nat(*)
               (conntrack)
               mangle
               nat
               (output interface assigned here?)
               filter
               security

(*)  Certain localhost packets skip the PREROUTING and POSTROUTING nat
     chains.  See the post and diagram by Phil Hagen for details.

Comments, suggestions, and corrections are welcome, as I am certainly not an expert on iptables and Netfilter.

mpb
  • 1,611