Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Linux NetFilter, IP Tables and Conntrack Diagrams

Linux NetFilter, IP Tables and Conntrack Diagrams

IPTABLES TABLES and CHAINS

IPTables has the following 4 built-in tables.

1) Filter Table

Filter is default table for iptables. So, if you don’t define you own table, you’ll be using filter table. Iptables’s filter table has the following built-in chains.

  • INPUT chain – Incoming to firewall. For packets coming to the local server.
  • OUTPUT chain – Outgoing from firewall. For packets generated locally and going out of the local server.
  • FORWARD chain – Packet for another NIC on the local server. For packets routed through the local server.

2) NAT table

Iptable’s NAT table has the following built-in chains.

  • PREROUTING chain – Alters packets before routing. i.e Packet translation happens immediately after the packet comes to the system (and before routing). This helps to translate the destination ip address of the packets to something that matches the routing on the local server. This is used for DNAT (destination NAT).
  • POSTROUTING chain – Alters packets after routing. i.e Packet translation happens when the packets are leaving the system. This helps to translate the source ip address of the packets to something that might match the routing on the desintation server. This is used for SNAT (source NAT).
  • OUTPUT chain – NAT for locally generated packets on the firewall.

3) Mangle table

Iptables’s Mangle table is for specialized packet alteration. This alters QOS bits in the TCP header. Mangle table has the following built-in chains.

  • PREROUTING chain
  • OUTPUT chain
  • FORWARD chain
  • INPUT chain
  • POSTROUTING chain

4) Raw table

Iptable’s Raw table is for configuration excemptions. Raw table has the following built-in chains.

@anudeep404

This comment has been minimized.

Copy link

@anudeep404 anudeep404 commented May 11, 2018

If we were to configure IPSec VPN with openswan, how does it pass through these chains?

@ArthurChiao

This comment has been minimized.

Copy link

@ArthurChiao ArthurChiao commented Jan 28, 2019

nice!

@sliddjur

This comment has been minimized.

Copy link

@sliddjur sliddjur commented Oct 24, 2019

If we were to configure IPSec VPN with openswan, how does it pass through these chains?

I think like this https://gist.github.com/nerdalert/a1687ae4da1cc44a437d#-2 ? @anudeep404

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.