Tony Clayton wrote: <lots of info on chain traversal>
This is quite interesting, and not at all what I was expecting based on what I'd read.
Depends on what you read :-)
Yes. When you change a packet in the nat table, all following packets are nat'ed automatically. This way you do not have to worry about natting replys etc.I have a list of questions about this behaviour, keeping in mind that I'm fairly new to iptables/netfilter: 1. Why does only the first packet for a TCP/IP connection seem to pass through the nat table? Does connection tracking take over if the packet is (ESTABLISHED,RELATED) and work some magic under the covers?
Yes. in POSTROUTING you may not know if the pakcet has been generated locally or not. However in the mangle-output chain you do. Another usage that cannot be done in postrouting is alterations to the packet before it hits the filter-output chain. The can e.g be used un conjunktion with packet marking:2. Why do both OUTPUT and POSTROUTING chains get traversed for packets that the firewall sends out? Is this useful at all?
iptables -t mangle -a OUTPUT -j MARK --set-mark 0x01
iptables -t filter -a OUTPUT -m mark --mark 0x01 -j ACCEPT.
(Ok - this example is very simple, but still - its imposible without the mangle-output chain)
3. Most of the documents I looked at were fairly old. Is there a somewhat recent document that perhaps might benefit from including these tests?
Yes. Take a look at Oskar Andreasson's excellent tutorial at: http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html Esp. look at the section named: "Traversing of tables and chains" Hope it helps. Anders Fugmann -- Author of FIAIF FIAIF is an intelligent firewall http://fiaif.fugmann.dhs.org
