I am trying to understand how this system works and I have problems to understand the difference between using NAT PREROUTING or filter FORWARD. From what I understand, the PREROUTE can send the packet to another server, avoiding the filter. If NAT can handle this via PREROUTE, what is the purpose of having a FORWARD rule in the filter?
Asked
Active
Viewed 1.2e+01k times
3 Answers
35
This table should only be used for NAT (Network Address Translation) on different packets. In other words, it should only be used to translate the packet's source field or destination field.
The filter table is mainly used for filtering packets. We can match packets and filter them in whatever way we want. This is the place that we actually take action against packets and look at what they contain and DROP or /ACCEPT them, depending on their content. Of course we may also do prior filtering; however, this particular table is the place for which filtering was designed.
In Traversing of tables and chains we can see that filter's FORWARD chain is traversed only by forwarded packets (packets that come from network AND go out to network), i.e. your computer is acting like a router, while nat's PREROUTING chain is traversed by both forwarded packets and packets whose destination is the local host.
You should use nat's PREROUTING only to change the destination address of the packets and filter's FORWARD only for filtering (dropping/accepting packets).
If we get a packet into the first routing decision that is not destined for the local machine itself, it will be routed through the FORWARD chain. If the packet is, on the other hand, destined for an IP address that the local machine is listening to, we would send the packet through the INPUT chain and to the local machine.
Packets may be destined for the local machine, but the destination address may be changed within the PREROUTING chain by doing NAT. Since this takes place before the first routing decision, the packet will be looked upon after this change. Because of this, the routing may be changed before the routing decision is done. Do note, that all packets will be going through one or the other path in this image. If you DNAT a packet back to the same network that it came from, it will still travel through the rest of the chains until it is back out on the network.
D.B.K
- 103
Eric Carvalho
- 55,453
10
PREROUTING: This chain is used to make any routing related decisions before (PRE) sending any packets. Always remember that in PREROUTING/POSTROUTING i.e. NAT table the ACCEPT/DROP/REJECT etc targets of the default FILTER table will not work. The NAT table is only used for taking routing decisions. You should use PREROUTING when taking any routing decisions i.e. the decisions which are needed to be taken before the packet will start traversing through the network. Here is an example, we are redirecting any traffic that just reached the server on port 80 to the port 8080:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
FORWARD: As the name suggests, The FORWARD chain of FILTER table is used to forward the packets from a source to a destination, here the source and destination are two different hosts. So, as you can imagine FORWARD rules are basically used on servers where one host is sending/receiving traffic from another host via the server. When the packet is generated from the server the chain is OUTPUT i.e. the traffic is going out from itself whereas INPUT chain means the the packets are meant for the server itself only. Here is an example of FORWARD chain where any TCP traffic received on port 80 on interface eth0 meant for the host 192.168.0.4 will be accepted and forwarded to 192.168.0.4:
iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 192.168.0.4 -j ACCEPT
heemayl
- 93,925
1
It's helpful to think of the "FORWARDING" chain as the "ROUTING" chain. If a packet comes in on an interface and it isn't destined for that host whose interface it came in on, then it must be "routed" to the host it is destined for. This is accomplished via the "FORWARDING chain (after the rules there get processed and the packet isn't discarded in someway of course).
Now, where "PREROUTING" chain comes into affect is if you want to "alter" the packet in someway to influence where it gets routed to, here is where you do it pre-route (before a routing decision gets made)
So to help with the first question, if a packet in its original form has a host as it's destination that isn't the host whose interface it came in on, then the packet will simply traverse the "FORWARDING" chain on it's path to get there (no PREROUTING necessary).
However, if the packet has the host whose interface it came in on as it's destination, then you can use the "PREROUTING" chain to alter it and it will get routed via the "FORWARDING" chain to it's now new destination.
chunky_pie
- 11