The Linux packet filtering HOWTO displays the following diagram in order
to illustrate the locations of the various filter table chains.
_____
Incoming / \ Outgoing
-->[Routing ]--->|FORWARD|------->
[Decision] \_____/ ^
| |
v ____
___ / \
/ \ |OUTPUT|
|INPUT| \____/
\___/ ^
| |
----> Local Process ----
This diagram has often helped me place rules in their proper places.
Unfortunately, this diagram doesn't include the location of the
nat.PREROUTING, nat.POSTROUTING, nat.OUTPUT, and all the mangle tables.
As a result, I've spent nearly an hour trying to figure out how to DNAT
packets coming from localhost (you put the DNAT rules in nat.OUTPUT, not
nat.PREROUTING).
So, I've come up with another ASCII art diagram displaying /all/
chains. I undoubtedly have some mistakes in it so, please, feel free to
correct.
I have pdf, dia, and txt versions of the diagram available in the
tarball at ftp://go-nix.ca/up/netfilter-diag.tar.bz2 . If you find it
easier to correct the dia version instead of hitting the space bar
several hundred times, by all means, please do so.
The diagram is based on the above diagram, as well as packet LOGs I've
added to every single chain and then triggered by firing a packet from
remote to local, from local to remote, from behind local to remote (to
trace the FORWARD stuff), and from remote to behind local (via DNAT).
Here's what it looks like to me:
+--------+
|Incoming|-+
+--------+ |
v
_______________
/ \ +--------+
|mangle.PREROUTING| +->|Outgoing|
\_______________/ | +--------+
| ____________ _____________
v / \ / \
____________ +-->|mangle.FORWARD| |nat.POSTROUTING|
/ \ | \____________/ \_____________/
|nat.PREROUTING| | | ^
\____________/ | v |
| | ____________ ________________
| | / \ / \
| [Routing ]-+ |filter.FORWARD|-->|mangle.POSTROUTING|
+->[Decision] \____________/ \________________/
| ^
| |
| ___________
v / \
__________ |filter.OUTPUT|
/ \ \___________/
|mangle.INPUT| ^
\__________/ |
| ________
| / \
| |nat.OUTPUT|
v \________/
__________ ^
/ \ |
|filter.INPUT| ___________
\__________/ / \
| |mangle.OUTPUT|
| \___________/
| ^
| |
+----------->Local Process--------------+
Please correct this as necessary. I'd like to finally get iptables
straight, in my mind at least.
Thanks !
