Am 15.05.19 um 06:29 schrieb zrm: > I added this rule: > > iptables -t nat -A INPUT -p icmp -j LOG > > Then when I ping localhost, nothing is logged. If I add the same rule to > nat POSTROUTING, then the packet is logged, implying that nat > POSTROUTING is being traversed for locally-destined locally-generated > packets rather than nat INPUT. > > This is not what I would have expected from the documentation. > > I tried the same thing with the same chains in the mangle table and in > that case POSTROUTING and INPUT are *both* traversed for local-to-local > packets. > > Is this (including the inconsistency between nat and mangle) the > intended behavior for some reason or is it a bug? why should "ping localhost" ever touch the INPUT chain of NAT? DNAT -> PREROUTING SNAT -> POSTROUTING https://stuffphilwrites.com/wp-content/uploads/2014/09/FW-IDS-iptables-Flowchart-v2019-04-30-1.png
