For a complete flowchart of how iptables works refer to this link. A simplified versions from Arch wiki is below. The lowercase word on top is the table and the upper case word below is the chain. All incoming packets start from "Network" entry in the flowchart. On "Routing decision" entry it will be decided the packet is for local machine or it should be forwarded to another machine. In the former the packet goes to "INPUT" chain in "filter" table and eventually delivered to corresponding local process. In the latter the packet goes to "FORWARD" chain in filter table and after second "Routing decision" it will be sent to destination machine.
For packets that are generated in local machine, the start entry in the flowchart is "[local process]". Then it goes to "OUTPUT" chain in nat table and so on and eventually it will be sent to destination machine.
The first "Routing decision" involves deciding if the final destination of the packet is this machine or another machine. In the former case the packet goes through INPUT chains. In the latter case the packet goes through FORWARD chains.
The second "Routing decision" involves deciding what interface to assign to an outgoing packet.
XXXXXXXXXXXXXXXXXX
XXX Network XXX
XXXXXXXXXXXXXXXXXX
+
|
v
+-------------+ +------------------+
|table: filter| <---+ | table: nat |
|chain: INPUT | | | chain: PREROUTING|
+-----+-------+ | +--------+---------+
| | |
v | v
[local process] | **************** +--------------+
| +---------+ Routing decision +------> |table: filter |
v **************** |chain: FORWARD|
**************** +------+-------+
Routing decision |
**************** |
| |
v **************** |
+-------------+ +------> Routing decision <---------------+
|table: nat | | ****************
|chain: OUTPUT| | +
+-----+-------+ | |
| | v
v | +-------------------+
+--------------+ | | table: nat |
|table: filter | +----+ | chain: POSTROUTING|
|chain: OUTPUT | +--------+----------+
+--------------+ |
v
XXXXXXXXXXXXXXXXXX
XXX Network XXX
XXXXXXXXXXXXXXXXXX
filter
is the default table and we do all the filtering here like dropping a packetnat
is used for destination NAT (DNAT), source NAT (SNAT) and IP masqueradingA chain has a set of rules that are followed from top to bottom until a rule is matched. If we cannot find a match the default policy for chain will be applied.
filter
contains three built-in chains: "INPUT", "OUTPUT" and "FORWARD" chainsnat
contains "PREROUTING", "POSTROUTING" and "OUTPUT" chainsACCEPT
or DROP
. If the packet pass through all existing rules in the chain and no match is found, then the default policy will be appliedIn a rule instead of ACCEPT or DROP target, we can jump to a user-defined chain. Like the predefined, the rules are pass through from top to bottom until a match is found. otherwise we return to previous chain. The following image is from this link that shows the process of visiting a user-defined chain: