https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture https://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO-3.html The netfilter hooks in the kernel and where they hook in the packet flow ------------------------------------------------------------------------ ``` netfilter hooks +-----------> local +-----------+ | process | | | | | | | | v MANGLE +-------------+--------+ FILTER | | +----------------------+ RAW SECURITY | input | | | conntrack SNAT | | | output | MANGLE +------+---------------+ | | DNAT ^ +-------+--------------+ routing | | FILTER | | SECURITY | +---------------------+ | +-------------+ +-----------+ | | +-------> | | +--> |pre routing+---- route -----> | forward | |post routing +----> | | lookup | +------------> | | +-----------+ +---------------------+ +-------------+ RAW MANGLE MANGLE conntrack FILTER SNAT MANGLE SECURITY DNAT routing ``` * Incoming packets destined for the local system: PREROUTING -> INPUT * Incoming packets destined to another host: PREROUTING -> FORWARD -> POSTROUTING * Locally generated packets: OUTPUT -> POSTROUTING Tables ------ * The iptables firewall uses tables to organize its rules * These tables classify rules according to the type of decisions they are used to make Chains ------ * Within each iptables table, rules are further organized within separate "chains" * Chains map to netfilter hooks Different Tables --------------- * filter: INPUT FORWARD OUTPUT * nat: DNAT: PREROUTING OUTPUT SNAT: INPUT POSTROUTING * mangle: ALL used to modify or mark packets: Mark is on the skbuf and not on the packet itself * raw: PREROUTING OUTPUT * security Order of Chain evaluation across tables --------------------------------------- * raw : Used to bypass connection tracking * (connection tracking enabled) * mangle * nat (DNAT) * (routing decision) * filter * security * nat (SNAT) IPTables Rules -------------- * Rules are placed within a specific chain of a specific table * Note: The table determines order of evaluation * A target is the action that are triggered when a packet meets the matching criteria of a rule. * Terminating targets: Terminating targets perform an action which terminates evaluation within the chain and returns control to the netfilter hook * Non-terminating targets: Non-terminating targets perform an action and continue evaluation within the chain * special class of non-terminating target: the jump target User-Defined Chains ------------------- * user-defined chains can only be reached by "jumping" to them from a rule via the jump target * and they can jump to other chains