Skip to content

Instantly share code, notes, and snippets.

@nerdalert
Last active June 6, 2024 15:53
Show Gist options
  • Save nerdalert/a1687ae4da1cc44a437d to your computer and use it in GitHub Desktop.
Save nerdalert/a1687ae4da1cc44a437d to your computer and use it in GitHub Desktop.
Linux NetFilter, IP Tables and Conntrack Diagrams

Linux NetFilter, IP Tables and Conntrack Diagrams

IPTABLES TABLES and CHAINS

IPTables has the following 4 built-in tables.

1) Filter Table

Filter is default table for iptables. So, if you don’t define you own table, you’ll be using filter table. Iptables’s filter table has the following built-in chains.

  • INPUT chain – Incoming to firewall. For packets coming to the local server.
  • OUTPUT chain – Outgoing from firewall. For packets generated locally and going out of the local server.
  • FORWARD chain – Packet for another NIC on the local server. For packets routed through the local server.

2) NAT table

Iptable’s NAT table has the following built-in chains.

  • PREROUTING chain – Alters packets before routing. i.e Packet translation happens immediately after the packet comes to the system (and before routing). This helps to translate the destination ip address of the packets to something that matches the routing on the local server. This is used for DNAT (destination NAT).
  • POSTROUTING chain – Alters packets after routing. i.e Packet translation happens when the packets are leaving the system. This helps to translate the source ip address of the packets to something that might match the routing on the desintation server. This is used for SNAT (source NAT).
  • OUTPUT chain – NAT for locally generated packets on the firewall.

3) Mangle table

Iptables’s Mangle table is for specialized packet alteration. This alters QOS bits in the TCP header. Mangle table has the following built-in chains.

  • PREROUTING chain
  • OUTPUT chain
  • FORWARD chain
  • INPUT chain
  • POSTROUTING chain

4) Raw table

Iptable’s Raw table is for configuration excemptions. Raw table has the following built-in chains.

@anudeep404
Copy link

If we were to configure IPSec VPN with openswan, how does it pass through these chains?

@ArthurChiao
Copy link

nice!

@sliddjur
Copy link

sliddjur commented Oct 24, 2019

If we were to configure IPSec VPN with openswan, how does it pass through these chains?

I think like this https://gist.github.com/nerdalert/a1687ae4da1cc44a437d#-2 ? @anudeep404

@andsten
Copy link

andsten commented Apr 3, 2021

If we were to configure IPSec VPN with openswan, how does it pass through these chains?

I elaborated on that in detail in a blog article I published in 2020: Nftables - Netfilter and VPN/IPsec packet flow
Actually it partly was your question here what triggered me to write that article. So, thanks a lot for the question.

@hungrybirder
Copy link

nice!

@lnthien97
Copy link

nice!

@eSargin
Copy link

eSargin commented Feb 7, 2024

after the destination ip address reaches the real mac address, I want to process based on the destination mac address, but I could not find where to do it. i do not use bridge and netdev engress nft does not work

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment