Here is the diagram I keep stuck to my wall for reference when dealing with iptables.
I cannot remember what site I used as a reference when creating the diagram. The original was an ascii chart though. This is created in dia and exported to pdf too. Both attached for convenience. CC licensed as long as the original chart I copied allows it.
Packet flow examples:
All packets to or from localhost travel down the left side of the chart.
From external destination localhost: PREROUTING -> INPUT -> [Local Process] -> OUTPUT -> POSTROUTING.
From localhost destination external: OUTPUT -> POSTROUTING -> [External Host] -> PREROUTING -> INPUT.
All forwarded packets travel the right side of the chart and travel all three tables coming in and then again going out.
From external dest internal: PREROUTING -> FORWARD -> POSTROUTING.
Internal response to external: PREROUTING -> FORWARD -> POSTROUTING.
and so forth.
This is what caught me for a while. Forwarded packet travel the right side route and get out of (or in to) the network. The response then gets generated and does not start from FORWARD or POSTROUTING, but from PREROUTING again. So all NEW forwarded packets need to be marked in PREROUTING and the mark saved. Not new packets need that mark restored in PREROUTING, and all packets need that mark restored in POSTROUTING. (As demonstrated by my previous post).
Locally generated traffic only sees OUTPUT and POSTROUTING before hitting the network and needs to be marked before hitting POSTROUTING, hence the OUTPUT chain rules in my previous post.
I will accept changes to the chart too if anybody wants modifications made.
One Comment
ty very much, the best packet flow chart I’ve seen online.