https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture https://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO-3.html

                                   netfilter hooks

                                  +-----------> local +-----------+
                                  |             process           |
                                  |                               |
                                  |                               |
                                  |                               |
                                  |                               v
  MANGLE            +-------------+--------+
  FILTER            |                      |               +----------------------+    RAW
  SECURITY          |        input         |               |                      |    conntrack
  SNAT              |                      |               |     output           |    MANGLE
                    +------+---------------+               |                      |    DNAT
                           ^                               +-------+--------------+    routing
                           |                                       |                   FILTER
                           |                                       |                   SECURITY
                           |            +---------------------+    |         +-------------+
     +-----------+                      |                     |    +-------> |             |
+--> |pre routing+----  route    -----> |      forward        |              |post routing +---->
     |           |      lookup          |                     +------------> |             |
     +-----------+                      +---------------------+              +-------------+
     
     RAW                                       MANGLE                         MANGLE
     conntrack                                 FILTER                         SNAT
     MANGLE                                    SECURITY
     DNAT
     routing
     
     
     
     

• Incoming packets destined for the local system: PREROUTING -> INPUT
• Incoming packets destined to another host: PREROUTING -> FORWARD -> POSTROUTING
• Locally generated packets: OUTPUT -> POSTROUTING

• The iptables firewall uses tables to organize its rules
• These tables classify rules according to the type of decisions they are used to make

• Within each iptables table, rules are further organized within separate "chains"
• Chains map to netfilter hooks

• filter: INPUT FORWARD OUTPUT
• nat:
  DNAT: PREROUTING OUTPUT SNAT: INPUT POSTROUTING
• mangle: ALL used to modify or mark packets: Mark is on the skbuf and not on the packet itself
• raw: PREROUTING OUTPUT
• security

• raw : Used to bypass connection tracking
• (connection tracking enabled)
• mangle
• nat (DNAT)
• (routing decision)
• filter
• security
• nat (SNAT)

• Rules are placed within a specific chain of a specific table
• Note: The table determines order of evaluation
• A target is the action that are triggered when a packet meets the matching criteria of a rule. * Terminating targets: Terminating targets perform an action which terminates evaluation within the chain and returns control to the netfilter hook * Non-terminating targets: Non-terminating targets perform an action and continue evaluation within the chain * special class of non-terminating target: the jump target

• user-defined chains can only be reached by "jumping" to them from a rule via the jump target
• and they can jump to other chains