On 5/15/19 01:23, Andre Paulsberg-Csibi wrote:
New answer , after consulting what I presume is still the correct path
for "all" INPUT :
RAW ( PREROUTING )
CONNTRACK
MANGLE ( PREROUTING )
NAT ( PREROUTING )
ROUTE ENGINE
MANGLE ( INPUT )
FILTER ( INPUT )
Bridge and security not added , note also that NAT is only consulted for
packets which are "NEW" .
Best regards
André Paulsberg-Csibi
Senior Network Engineer - IBM Services AS
Right, so that's the path remote packets destined for local sockets
take. You're missing nat INPUT there with the others, but what you have
looks correct for the old kernels where nat INPUT didn't exist.
My understanding is that PREROUTING is an alternative to OUTPUT and
POSTROUTING is an alternative to INPUT, with OUTPUT and INPUT being used
in the case of locally-generated and locally-destined packets respectively.
So looking just at the nat table, a purely forwarded packet with no
local endpoint would traverse:
nat PREROUTING
nat POSTROUTING
A locally-generated packet routed out of the device would instead traverse:
nat OUTPUT
nat POSTROUTING
Conversely, an external packet destined for the local machine would
traverse:
nat PREROUTING
nat INPUT
Then, completing the set, what I would expect from a locally generated
packet with a location destination would be:
nat OUTPUT
nat INPUT
The first three are consistent with observations, but what I'm actually
seeing is for the last is:
nat OUTPUT
nat POSTROUTING
So the chain used is the one as if the destination was not the local
machine, even though it is. But why?