Iptables Packet Handling Details

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

Internal

Incoming Packets

  1. The packet arrives to the network interface (eth0)
  2. The hardware sends the packet to the proper device driver in the kernel
  3. The device driver sends the packet to netfilter code.
  4. The packet is first sent to the "raw" table, and handled by the PREROUTING chain. This chain is used to handle packets before the connection tracking takes place. It can be used to set a specific connection not to be handled by the connection tracking code for example.
  5. Connection tracking code takes place.
  6. The packet is sent to the "mangle" table, and handled by the PREROUTING chain. This chain is normally used for mangling packets, i.e., changing TOS and so on.
  7. The packet is then sent to the "nat" table and is handled by the PREROUTING chain. This chain is used for DNAT mainly. Avoid filtering in this chain since it will be bypassed in certain cases.
  8. Routing decisions are made - is the packet destined for our local host, or needs to be forwarded.
  9. If the packet is destined for the local host, it is sent to the "mangle" table, INPUT chain. We use this chain to mangle packets, after they have been routed, but before they are actually sent to the process on the machine.
  10. Then the packet is sent to the "filter" table, INPUT chain. This is where we do filtering for all incoming traffic destined for our local host. Note that all incoming packets destined for this host pass through this chain, no matter what interface or in which direction they came from.
  11. Packet sent to the local process.

Outgoing Packets

  1. Local process creates the process and it passes it to the kernel.
  2. Routing decisions are taken: what source address to use, what outgoing interface to use, other necessary information that need to be gathered.
  3. The packet is passed to the "raw" table, OUTPUT chain. This is where you do work before the connection tracking has taken place for locally generated packets. You can mark connections so that they will not be tracked for example.
  4. Connection tracking work takes place (state changes, etc).
  5. The packet is sent to the "mangle" table, OUTPUT chain. This is where we mangle packets, it is suggested that you do not filter in this chain since it can have side effects.
  6. The packet is sent to the "nat" table, OUTPUT chain. This chain can be used to NAT outgoing packets from the firewall itself.
  7. At this point routing decisions are made again, since the previous mangle and NAT changes may have changed how the packet should be routed.
  8. The packet is sent to the "filter" table, OUTPUT chain.
  9. The packet is sent to the "mangle" table, POSTROUTING chain. The POSTROUTING chain in the mangle table is mainly used when we want to do mangling on packets before they leave our host, but after the actual routing decisions. This chain will be hit by both packets just traversing the firewall, as well as packets created by the firewall itself.
  10. The packet is sent to the "nat"/POSTROUTING. This is where we do SNAT. It is suggested that you don't do filtering here since it can have side effects, and certain packets might slip through even though you set a default policy of DROP.
  11. Packet sent to the interface.

Forwarded Packets

  1. The packet arrives to the network interface (eth0)
  2. The hardware sends the packet to the proper device driver in the kernel
  3. The device driver sends the packet to netfilter code.
  4. The packet is first sent to "raw"/PREROUTING. This chain is used to handle packets before the connection tracking takes place. It can be used to set a specific connection not to be handled by the connection tracking code for example.
  5. Connection tracking code takes place.
  6. The packet is sent to the "mangle"/PREROUTING. This chain is normally used for mangling packets, i.e., changing TOS and so on.
  7. The packet is then sent to the "nat"/PREROUTING chain. This chain is used for DNAT mainly. Avoid filtering in this chain since it will be bypassed in certain cases.
  8. Routing decisions are made - is the packet destined for our local host, or needs to be forwarded.
  9. If the packet is to be forwarded, it is sent to the "mangle"/FORWARD. his can be used for very specific needs, where we want to mangle the packets after the initial routing decision, but before the last routing decision made just before the packet is sent out.
  10. Then the packet is sent to the "filter"/FORWARD. Only forwarded packets go through here, and here we do all the filtering. Note that all traffic that's forwarded goes through here (not only in one direction), so you need to think about it when writing your rule-set.
  11. The packet is sent to "mangle"/POSTROUTING. This chain is used for specific types of packet mangling that we wish to take place after all kinds of routing decisions have been done, but still on this machine.
  12. The packet is sent to "net"/POSTROUTING. This chain should first and foremost be used for SNAT. Avoid doing filtering here, since certain packets might pass this chain without ever hitting it. This is also where Masquerading is done.
  13. Packets goes out to the outgoing interface.
Retrieved from "https://kb.novaordis.com/index.php?title=Iptables_Packet_Handling_Details&oldid=408"