iptables
Flowchart
For a complete flowchart of how iptables works refer to this link. A simplified versions from Arch wiki is below. The lowercase word on top is the table and the upper case word below is the chain. All incoming packets start from "Network" entry in the flowchart. On "Routing decision" entry it will be decided the packet is for local machine or it should be forwarded to another machine. In the former the packet goes to "INPUT" chain in "filter" table and eventually delivered to corresponding local process. In the latter the packet goes to "FORWARD" chain in filter table and after second "Routing decision" it will be sent to destination machine.
For packets that are generated in local machine, the start entry in the flowchart is "[local process]". Then it goes to "OUTPUT" chain in nat table and so on and eventually it will be sent to destination machine.
The first "Routing decision" involves deciding if the final destination of the packet is this machine or another machine. In the former case the packet goes through INPUT chains. In the latter case the packet goes through FORWARD chains.
The second "Routing decision" involves deciding what interface to assign to an outgoing packet.
XXXXXXXXXXXXXXXXXX
XXX Network XXX
XXXXXXXXXXXXXXXXXX
+
|
v
+-------------+ +------------------+
|table: filter| <---+ | table: nat |
|chain: INPUT | | | chain: PREROUTING|
+-----+-------+ | +--------+---------+
| | |
v | v
[local process] | **************** +--------------+
| +---------+ Routing decision +------> |table: filter |
v **************** |chain: FORWARD|
**************** +------+-------+
Routing decision |
**************** |
| |
v **************** |
+-------------+ +------> Routing decision <---------------+
|table: nat | | ****************
|chain: OUTPUT| | +
+-----+-------+ | |
| | v
v | +-------------------+
+--------------+ | | table: nat |
|table: filter | +----+ | chain: POSTROUTING|
|chain: OUTPUT | +--------+----------+
+--------------+ |
v
XXXXXXXXXXXXXXXXXX
XXX Network XXX
XXXXXXXXXXXXXXXXXX
Tables
filteris the default table and we do all the filtering here like dropping a packetnatis used for destination NAT (DNAT), source NAT (SNAT) and IP masquerading
Chains
A chain has a set of rules that are followed from top to bottom until a rule is matched. If we cannot find a match the default policy for chain will be applied.
- The default table
filtercontains three built-in chains: "INPUT", "OUTPUT" and "FORWARD" chains - The table
natcontains "PREROUTING", "POSTROUTING" and "OUTPUT" chains - Chains have a default policy which can be either
ACCEPTorDROP. If the packet pass through all existing rules in the chain and no match is found, then the default policy will be applied
User-Defined Chains
In a rule instead of ACCEPT or DROP target, we can jump to a user-defined chain. Like the predefined, the rules are pass through from top to bottom until a match is found. otherwise we return to previous chain. The following image is from this link that shows the process of visiting a user-defined chain:
Useful Links
- Arch Wiki
- Simple stateful firewall by Arch Wiki
- Flowchart
- Flowchart explanation
- Iptables tutorial: This is a very good explanation of Internet Protocols as well as how iptables works