PREROUTING and POSTROUTING
 

Hello people.

I'm learning about IPTables, but I don't fully understand the chains of the NAT table (PREROUTING, POSTROUTING and OUTPUT).
I'm specially in doubt of PREROUTING and POSTROUTING.

As far as a I know:
- DNAT can be made with PREROUTING
- SNAT can be made with POSTROUTING

NAT makes DNAT to change the target of a packet, and makes SNAT to change the source of a packet, so I conclude:
- PREROUTING is for incoming traffic
- POSTROUTING is for outcoming traffic

Is it correct? The previous conclusions seems to be logic in normal conditions, but also they seems to be limitating.

I'm thinking of a silly example to make DNAT for an employeer; when he tries to connect to an adult website, he is redirected to Google.

In the other hand, the command "iptables" says the -o parameter (out interface) can't be used with PREROUTING and the parameter -i (in interface) can't be used with POSTROUTING; this affirms the previous conclusions.

I hope you can help me.

Kind regards and thanks for advance.

One will see packets before a routing decision is made, and the other after.

Maybe checking out Chapter 6 of Oskar Andreasson's tutorial will help clarify things for you.

Thanks for your reply win32sux.

So i think i got it:
- PREROUTING is for incoming traffic
- POSTROUTING / OUTPUT are for outgoing traffic

But I didn't understand the difference between POSTROUTING and OUTPUT.

Kind regards.

Look at the drawing in the page I linked.

Notice how all the OUTPUT chains (regardless of table) handle packets from local processes.

Yes, I noticed that.

PREROUTING - DNAT for incoming traffic
OUTPUT - DNAT for outgoing traffic
POSTROUTING - SNAT for outgoing traffic

Is this correct?

Kind regards.

I think your summary would need to be more specific. For example "outgoing traffic" could refer to both locally and externally generated traffic, and it's important to differentiate. OUTPUT only handles the locally-generated type (before a routing decision). The iptables manual actually includes a good summary near the top:

Yes, you are right.

PREROUTING - DNAT for incoming packets
OUTPUT - DNAT for outgoing local packets
POSTROUTING - SNAT for outgoing local/forwarded packets

What do you think?

Sounds good to me. So, getting back to your adult website redirection to Google scenario: How are you planning to do it? Honestly, I'd recommend using Squid for this rather than iptables. Or wait, were you just using it like an example?

BTW, this might be getting moved to Networking for more adequate exposure.

Great, so I will keep that summary on my mind.

Regarding my scenario, it was just an example, I do not need to implement it on real life, but now I'm curious why you recommend squid rather than iptables.

I created the post here because I saw the word "firewall" in the description, but move it to "networking", no problem about that :).

Kind regards and thanks for the help.

Well, I just see it as the right tool for the job. I mean, HTTP is an application layer protocol, so it makes sense to use Squid instead of iptables (which is meant for dealing with network and transport layer stuff) IMHO. Using Squid also eliminates the need for you to keep track of the adult website's IPs. I know there's other advantages too, but they don't come to mind right now as I'm completely exhausted. Actually, one does come to mind: Things like per-user restrictions aren't feasible with iptables on a dedicated gateway, yet they're a snap with Squid by means of ACLs.

Yeah it fits here too, no worries. Typically, though, it's going to be the context of the question/discussion that will determine whether it gets moved or not. I guess if we look at it from the point of view that you wanted to do things like keep employees away from dangerous websites, then yeah, it would probably be best to leave it here. Besides, the whole "don't fix it if it ain't broken" thing and all that. Still, let me know if you wish for it to be moved and I'll gladly take care of it for you.

You're very welcome.

And BTW (in case nobody has said it yet): Welcome to LQ!!! :)

Thanks! ;)

Guys, I have a straight forward question:

1. What is the difference between netfilter and iptables?

Regards.

Netfilter is the code in the Linux kernel which allows it to provide packet-filtering functionality. iptables is the userspace tool we use to configure said functionality. The website's front page itself has a better description:

So is it ok if I define netfilter as the linux kernel module which provides packet filtering functionality and iptables as the tool which make use of that module?

I'm not an expert, but that definition seems like it might be technically incorrect. Like, if you do an lsmod, you won't see any module named netfilter. What you'll see are Netfilter-related modules for connection tracking, NAT, etc. (in other words, part of the framework described). Netfilter itself is, according to their web page, "a set of hooks inside the Linux kernel".

That is a great distinction.

So I will define netfilter as:
the packet filtering framework inside the Linux 2.4.x and 2.6.x kernel series

and iptables as:
the command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset

What do you think?

By the way, if netfilter is part of the kernel itself, does it mean that is the only way to filter packets?

Is it possible to uninstall netfilter and install another thing?

Kind regards.

I am a bit late coming to this thread, but I thought I would mention for anyone who comes across it that the link win32sux posted above, to Oskar Andreasson's tutorial is hands down, the most comprehensive tutorial I have ever seen on iptables. Where have you been hiding this gem, win32sux?

And now the 3.0.x series too, right?

Sounds good to me. If you're doing this as part of a paper for school, make sure you follow the citation/reference rules your school uses. Otherwise, it'll look like you're plagiarizing.

I'm sure it's not only possible, but also quite feasible (given the freely-available source code). That said, I don't really know if anyone's put together such a patch. I do remember having run into at least one thread here in LQSEC where the poster was looking to do precisely that (albeit such a thread would have been moved to Programming), but I don't recall how things played out.

LOL! Right next to the rock you've apparently just crawled out from under. :)

Wait... I thought the current kernel series was 2.6.x...

1. Is the 3.0.x series already released?

2. What happened with 2.8.x? :)

Kind regards.

Linux 3.0 is at RC5 as of yesterday, so it should be released RSN.

To get an idea of why the jump from 2.6.39 to 3.0 was made, check this out.

Great, thanks for the link.

What is RSN?

Sure, no problem.

Real soon now.

Great ;).

So, recapitulating:

Netfilter:
The packet filtering framework inside the Linux 2.4.x, 2.6.x and 3.0.x kernel series

Iptables:
The command line program used to configure the Linux 2.4.x, 2.6.x and 3.0.x IPv4 packet filtering ruleset

Good enough?

Sounds okay to me.

Hello guys.

I just need to confirm some conclusions I made for my test:

1. every incoming DNATed packet goes necessarily to FORWARD
2. every outgoing SNATed packet not necessarily comes from FORWARD
3. every forwarded packet was DNATed and will be SNATed

Kind regards and thanks for the patience.

Anyone here? :)

FWIW, #3 seems incorrect to me, as both DNAT and SNAT are optional.

I got the conclusion 3 when I asked myself what happens with a packet when is forwarded.

I thought: is DNATed in PREROUTING and SNATed in POSTROUTING.

Just because a packet traverses those chains doesn't mean it will get sent to those targets.

No, you are right, not every packet is DNATed when it goes through PREROUTING.

But like I said in the first 2 points:
1. every incoming DNATed packet goes necessarily to FORWARD
2. every outgoing SNATed packet not necessarily comes from FORWARD

In 1, DNAT happens in PREROUTING
In 2, SNAT happens in POSTROUTING (necessarily if it comes from FORWARD and optionally if it comes from OUTPUT).

That's why I concluded point 3:
3. every forwarded packet was DNATed and will be SNATed

I think my third point is more understandable if I say it this way:

3. every forwarded packet was DNATed at PREROUTING and SNATed at POSTROUTING

using a Proxy
 

I am using this preroute and postroute for one configuration I want to make, so to make one PC in my LAN to use an external proxy for all its traffic.

I use this:
INTERNAL_NETWORK=10.1.1.0/24
LAN=br-lan
LANIP=10.1.1.1
SQUIDIP=200.40.180.2
SQUIDPORT=8888
iptables -t nat -A prerouting_rule -i $LAN -s ! $SQUIDIP -p tcp --dport 80 -j DNAT --to $SQUIDIP:$SQUIDPORT
iptables -t nat -A postrouting_rule -o $LAN -s $INTERNAL_NETWORK -d $SQUIDIP -j SNAT --to $LANIP
iptables -A forwarding_rule -s $INTERNAL_NETWORK -d $SQUIDIP -i $LAN -o $LAN -p tcp --dport $SQUIDPORT -j ACCEPT


this routes everything ok when it goes to port 80. But I want it to work with EVERY port.
the idea is to get all internet traffic originated by the ip 10.1.1.1 to go through the proxy server 200.40.180.2

I wonder if someone can help me get this config working.

thanks a lot!

example
 

a nice server and firewall scenario to understanding the topic > digitalocean.com/community/tutorials/how-to-forward-ports-through-a-linux-gateway-with-iptables