PREROUTING and POSTROUTING
Hello people.
I'm learning about IPTables, but I don't fully understand the chains of the NAT table (PREROUTING, POSTROUTING and OUTPUT). I'm specially in doubt of PREROUTING and POSTROUTING. As far as a I know: - DNAT can be made with PREROUTING - SNAT can be made with POSTROUTING NAT makes DNAT to change the target of a packet, and makes SNAT to change the source of a packet, so I conclude: - PREROUTING is for incoming traffic - POSTROUTING is for outcoming traffic Is it correct? The previous conclusions seems to be logic in normal conditions, but also they seems to be limitating. I'm thinking of a silly example to make DNAT for an employeer; when he tries to connect to an adult website, he is redirected to Google. In the other hand, the command "iptables" says the -o parameter (out interface) can't be used with PREROUTING and the parameter -i (in interface) can't be used with POSTROUTING; this affirms the previous conclusions. I hope you can help me. Kind regards and thanks for advance. |
One will see packets before a routing decision is made, and the other after.
Maybe checking out Chapter 6 of Oskar Andreasson's tutorial will help clarify things for you. |
Thanks for your reply win32sux.
So i think i got it: - PREROUTING is for incoming traffic - POSTROUTING / OUTPUT are for outgoing traffic But I didn't understand the difference between POSTROUTING and OUTPUT. Kind regards. |
Quote:
Notice how all the OUTPUT chains (regardless of table) handle packets from local processes. |
Yes, I noticed that.
PREROUTING - DNAT for incoming traffic OUTPUT - DNAT for outgoing traffic POSTROUTING - SNAT for outgoing traffic Is this correct? Kind regards. |
I think your summary would need to be more specific. For example "outgoing traffic" could refer to both locally and externally generated traffic, and it's important to differentiate. OUTPUT only handles the locally-generated type (before a routing decision). The iptables manual actually includes a good summary near the top:
Quote:
|
Yes, you are right.
PREROUTING - DNAT for incoming packets OUTPUT - DNAT for outgoing local packets POSTROUTING - SNAT for outgoing local/forwarded packets What do you think? |
Sounds good to me. So, getting back to your adult website redirection to Google scenario: How are you planning to do it? Honestly, I'd recommend using Squid for this rather than iptables. Or wait, were you just using it like an example?
BTW, this might be getting moved to Networking for more adequate exposure. |
Great, so I will keep that summary on my mind.
Regarding my scenario, it was just an example, I do not need to implement it on real life, but now I'm curious why you recommend squid rather than iptables. I created the post here because I saw the word "firewall" in the description, but move it to "networking", no problem about that :). Kind regards and thanks for the help. |
Quote:
Quote:
Quote:
And BTW (in case nobody has said it yet): Welcome to LQ!!! :) |
Thanks! ;)
|
Guys, I have a straight forward question:
1. What is the difference between netfilter and iptables? Regards. |
Quote:
Quote:
Quote:
|
So is it ok if I define netfilter as the linux kernel module which provides packet filtering functionality and iptables as the tool which make use of that module?
|
Quote:
|
That is a great distinction.
So I will define netfilter as: the packet filtering framework inside the Linux 2.4.x and 2.6.x kernel series and iptables as: the command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset What do you think? By the way, if netfilter is part of the kernel itself, does it mean that is the only way to filter packets? Is it possible to uninstall netfilter and install another thing? Kind regards. |
I am a bit late coming to this thread, but I thought I would mention for anyone who comes across it that the link win32sux posted above, to Oskar Andreasson's tutorial is hands down, the most comprehensive tutorial I have ever seen on iptables. Where have you been hiding this gem, win32sux?
|
Quote:
Quote:
Quote:
Quote:
|
Quote:
1. Is the 3.0.x series already released? 2. What happened with 2.8.x? :) Kind regards. |
Quote:
To get an idea of why the jump from 2.6.39 to 3.0 was made, check this out. |
Great, thanks for the link.
What is RSN? |
Quote:
Quote:
|
Quote:
So, recapitulating: Netfilter: The packet filtering framework inside the Linux 2.4.x, 2.6.x and 3.0.x kernel series Iptables: The command line program used to configure the Linux 2.4.x, 2.6.x and 3.0.x IPv4 packet filtering ruleset Good enough? |
Sounds okay to me.
|
Hello guys.
I just need to confirm some conclusions I made for my test: 1. every incoming DNATed packet goes necessarily to FORWARD 2. every outgoing SNATed packet not necessarily comes from FORWARD 3. every forwarded packet was DNATed and will be SNATed Kind regards and thanks for the patience. |
Anyone here? :)
|
FWIW, #3 seems incorrect to me, as both DNAT and SNAT are optional.
|
I got the conclusion 3 when I asked myself what happens with a packet when is forwarded.
I thought: is DNATed in PREROUTING and SNATed in POSTROUTING. |
Just because a packet traverses those chains doesn't mean it will get sent to those targets.
|
No, you are right, not every packet is DNATed when it goes through PREROUTING.
But like I said in the first 2 points: 1. every incoming DNATed packet goes necessarily to FORWARD 2. every outgoing SNATed packet not necessarily comes from FORWARD In 1, DNAT happens in PREROUTING In 2, SNAT happens in POSTROUTING (necessarily if it comes from FORWARD and optionally if it comes from OUTPUT). That's why I concluded point 3: 3. every forwarded packet was DNATed and will be SNATed |
I think my third point is more understandable if I say it this way:
3. every forwarded packet was DNATed at PREROUTING and SNATed at POSTROUTING |
using a Proxy
I am using this preroute and postroute for one configuration I want to make, so to make one PC in my LAN to use an external proxy for all its traffic.
I use this: INTERNAL_NETWORK=10.1.1.0/24 LAN=br-lan LANIP=10.1.1.1 SQUIDIP=200.40.180.2 SQUIDPORT=8888 iptables -t nat -A prerouting_rule -i $LAN -s ! $SQUIDIP -p tcp --dport 80 -j DNAT --to $SQUIDIP:$SQUIDPORT iptables -t nat -A postrouting_rule -o $LAN -s $INTERNAL_NETWORK -d $SQUIDIP -j SNAT --to $LANIP iptables -A forwarding_rule -s $INTERNAL_NETWORK -d $SQUIDIP -i $LAN -o $LAN -p tcp --dport $SQUIDPORT -j ACCEPT this routes everything ok when it goes to port 80. But I want it to work with EVERY port. the idea is to get all internet traffic originated by the ip 10.1.1.1 to go through the proxy server 200.40.180.2 I wonder if someone can help me get this config working. thanks a lot! |
example
a nice server and firewall scenario to understanding the topic > digitalocean.com/community/tutorials/how-to-forward-ports-through-a-linux-gateway-with-iptables
|
All times are GMT -5. The time now is 07:29 PM. |