On 5/15/19 13:12, zrm wrote:
On 5/15/19 05:22, Reindl Harald wrote:
Am 15.05.19 um 06:29 schrieb zrm:
I added this rule:
iptables -t nat -A INPUT -p icmp -j LOG
Then when I ping localhost, nothing is logged. If I add the same rule to
nat POSTROUTING, then the packet is logged, implying that nat
POSTROUTING is being traversed for locally-destined locally-generated
packets rather than nat INPUT.
This is not what I would have expected from the documentation.
I tried the same thing with the same chains in the mangle table and in
that case POSTROUTING and INPUT are *both* traversed for local-to-local
packets.
Is this (including the inconsistency between nat and mangle) the
intended behavior for some reason or is it a bug?
So anyway, I think I figured out what's going on here.
remote to local:
PREROUTING [raw mangle nat]
INPUT [mangle filter nat security]
local to remote:
OUTPUT [raw mangle nat filter security]
POSTROUTING [mangle nat]
remote to remote:
PREROUTING [raw mangle nat]
FORWARD [filter security]
POSTROUTING [mangle nat]
local to local:
OUTPUT [raw mangle nat filter security]
POSTROUTING [mangle nat]
PREROUTING [raw mangle]
INPUT [mangle filter security]
The local to local packets traverse both POSTROUTING *and* INPUT in
general (and both OUTPUT and PREROUTING as well), but the nat chains for
SNAT and DNAT are only traversed once each. For local to local packets,
the earliest DNAT chain is OUTPUT and the earliest SNAT chain is
POSTROUTING, so that's where DNAT and SNAT get set up, and by the time
you get to PREROUTING and INPUT, DNAT and SNAT are already configured so
those nat chains aren't traversed.
