2002-12-13 16:00:32

by Denis Vlasenko

[permalink] [raw]
Subject: order of ip tables/chains?

Dunno if this mail and your replies will reach the list/me,
we have some DNS problems here...

I'm setting up a firewall. I want to understand precise order
in which a packet traverse a multitude of ip tables/chains
which exist in recent 2.4 (say 2.4.20). This is what I currently
placed at the top of my script:

### filter This is the default table (if no -t option is passed). It contains
### the built-in chains INPUT (for packets coming into the box itself),
### FORWARD (for packets being routed through the box), and OUTPUT (for
### locally-generated packets).
###
### nat This table is consulted when a packet that creates a new connection
### is encountered. It consists of three built-ins: PREROUTING (for
### altering packets as soon as they come in), OUTPUT (for altering
### locally-generated packets before routing), and POSTROUTING (for
### altering packets as they are about to go out).
###
### mangle This table is used for specialized packet alteration. Until kernel
### 2.4.17 it had two built-in chains: PREROUTING (for altering incoming
### packets before routing) and OUTPUT (for altering locally-generated
### packets before routing). Since kernel 2.4.18, three other built-in
### chains are also supported: INPUT (for packets coming into the box
### itself), FORWARD (for altering packets being routed through the
### box), and POSTROUTING (for altering packets as they are about to go
### out).

(above: taken directly from man iptables)
(below: this is how I understand it. Combined from Rusty's excellent docs
on NAT and filtering. Thanks Rusty! Anyone spot something wrong below?)

###
###
### ..iface....................................iface...
### | ^
### v |
### -NAT,mangle- -filter,mangle- -NAT,mangle--
### |PREROUTING|->[Routing ]-->|FORWARD |-->|POSTROUTING|
### ------------ [Decision] --------------- -------------
### | ^
### v |
### -filter,mangle- -filter,NAT,mangle-
### |INPUT | |OUTPUT |
### --------------- -------------------
### | ^
### v |
### ... Local Process...
### ....Local Process...

(below: basically this is what I ask)

### TODO: check order of each a,b
### check whether is OUTPUT drawn where it should be
### (or maybe different table's OUTPUTs must be in different places?)
--
vda