Search This Blog

2023-06-20

* routing process of iptables

1. Incoming packet:

Table: N/A (not applicable)

Chain: N/A (not applicable)

Rules: N/A (not applicable)

Description: An incoming packet arrives at a network interface on the system.

2. Pre-routing:

Table: `nat`, `mangle`, `raw`

Chain: `PREROUTING`

Rules: Rules in the `PREROUTING` chain can modify the packet's destination, perform DNAT (Destination NAT) to change the destination address/port, or mark the packet for further processing.

Description: The packet enters the pre-routing stage, where the `PREROUTING` chain is processed. In this chain, you can apply various rules that can modify the packet's destination, perform NAT (Network Address Translation), or mark the packet for further processing.

3. Routing decision:

Table: N/A (not applicable)

Chain: N/A (not applicable)

Rules: N/A (not applicable)

Description: After the pre-routing stage, the routing decision takes place. The system examines the destination IP address of the packet and determines the appropriate outbound interface based on the routing table.  This step is handled by the kernel's routing mechanism and not influenced by iptables rules directly. This decision is crucial for forwarding the packet to the correct destination.

4. Input processing:

Table: `filter`, `mangle`

Chain: `INPUT`

Rules: Rules in the `INPUT` chain are applied to packets destined for the local system. These rules can determine whether to accept, drop, or modify the packet based on various criteria like source, destination, protocol, port, etc. This is where packets are processed if they are targeted at the system itself.

5. Forwarding:

Table: `filter`, `mangle`

Chain: `FORWARD`

Rules: Rules in the `FORWARD` chain are applied to packets that are being forwarded to another network interface on the system. These rules can determine whether to accept, drop, or modify the packet based on various criteria like source, destination, protocol, port, connection state, etc.

  - Description: If the packet is destined for another network interface on the system (not the local system itself), it enters the forwarding stage. In the `FORWARD` chain, the packet is processed and matched against rules that determine whether to accept, drop, or modify it.

6. Output processing:

Table: `filter`, `mangle`

Chain: `OUTPUT`

Rules: Rules in the `OUTPUT` chain are applied to packets originating from the local system. These rules can determine whether to accept, drop, or modify the packet based on various criteria like source, destination, protocol, port, etc. This is where packets generated by the system are processed before being sent out.

7. Post-routing:

Table: `nat`, `mangle`, `raw`

Chain: `POSTROUTING`

Rules: Rules in the `POSTROUTING` chain can perform actions like source NAT (SNAT), masquerading, or modify the packet's source address. This is typically used for packets leaving the system to ensure proper addressing and routing.

Description: After the forwarding stage, if the packet is accepted for forwarding, it enters the post-routing stage. In the `POSTROUTING` chain, you can apply rules that perform additional modifications, such as source NAT (SNAT), masquerading, or modifying the packet's source address.

8. Outgoing packet:

Table: N/A (not applicable)

Chain: N/A (not applicable)

Rules: N/A (not applicable)

Description: The packet, after going through the pre-routing, routing decision, forwarding, output processing, and post-routing stages, is sent out through the appropriate outbound interface based on the routing decision made earlier. It leaves the system and continues its journey through the network.

Order of (table+chain) execution:

1. The packet goes through the `raw` table. Within the `raw` table, the chains are processed in order: `PREROUTING`, `OUTPUT`.

2. The packet goes through the `mangle` table. Within the `mangle` table, the chains are processed in order: `PREROUTING`, `INPUT`, `FORWARD`, `OUTPUT`, `POSTROUTING`.

3. The packet goes through the `nat` table. Within the `nat` table, the chains are processed in order: `PREROUTING`, `INPUT`, `OUTPUT`, `POSTROUTING`.

4. Finally, the packet goes through the `filter` table. Within the `filter` table, the chains are processed in order: `INPUT`, `FORWARD`, `OUTPUT`.

The `nat+OUTPUT` chain (part of the `nat` table) is processed before the `filter+INPUT` chain (part of the `filter` table). This means that any NAT-related operations in the `nat+OUTPUT` chain, such as source address translation (SNAT), will be applied before the packet reaches the `filter+INPUT` chain for filtering.

Within the same pair of table and chain, the order of adding rules matters, and the first matching rule takes effect.

Between different tables, the order of adding rules does not influence the execution order. Rules within each table are processed in their specified order.