LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-20-2011, 09:04 AM   #1
theuser
LQ Newbie
 
Registered: Jun 2011
Posts: 18

Rep: Reputation: Disabled
Question PREROUTING and POSTROUTING


Hello people.

I'm learning about IPTables, but I don't fully understand the chains of the NAT table (PREROUTING, POSTROUTING and OUTPUT).
I'm specially in doubt of PREROUTING and POSTROUTING.

As far as a I know:
- DNAT can be made with PREROUTING
- SNAT can be made with POSTROUTING

NAT makes DNAT to change the target of a packet, and makes SNAT to change the source of a packet, so I conclude:
- PREROUTING is for incoming traffic
- POSTROUTING is for outcoming traffic

Is it correct? The previous conclusions seems to be logic in normal conditions, but also they seems to be limitating.

I'm thinking of a silly example to make DNAT for an employeer; when he tries to connect to an adult website, he is redirected to Google.

In the other hand, the command "iptables" says the -o parameter (out interface) can't be used with PREROUTING and the parameter -i (in interface) can't be used with POSTROUTING; this affirms the previous conclusions.

I hope you can help me.

Kind regards and thanks for advance.
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 06-20-2011, 01:52 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
One will see packets before a routing decision is made, and the other after.

Maybe checking out Chapter 6 of Oskar Andreasson's tutorial will help clarify things for you.
 
2 members found this post helpful.
Old 06-20-2011, 03:10 PM   #3
theuser
LQ Newbie
 
Registered: Jun 2011
Posts: 18

Original Poster
Rep: Reputation: Disabled
Thanks for your reply win32sux.

So i think i got it:
- PREROUTING is for incoming traffic
- POSTROUTING / OUTPUT are for outgoing traffic

But I didn't understand the difference between POSTROUTING and OUTPUT.

Kind regards.
 
Old 06-20-2011, 04:32 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by theuser View Post
But I didn't understand the difference between POSTROUTING and OUTPUT.
Look at the drawing in the page I linked.

Notice how all the OUTPUT chains (regardless of table) handle packets from local processes.
 
Old 06-20-2011, 05:24 PM   #5
theuser
LQ Newbie
 
Registered: Jun 2011
Posts: 18

Original Poster
Rep: Reputation: Disabled
Yes, I noticed that.

PREROUTING - DNAT for incoming traffic
OUTPUT - DNAT for outgoing traffic
POSTROUTING - SNAT for outgoing traffic

Is this correct?

Kind regards.
 
Old 06-20-2011, 05:45 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
I think your summary would need to be more specific. For example "outgoing traffic" could refer to both locally and externally generated traffic, and it's important to differentiate. OUTPUT only handles the locally-generated type (before a routing decision). The iptables manual actually includes a good summary near the top:
Quote:
filter:
This is the default table (if no -t option is passed). It
contains the built-in chains INPUT (for packets destined to
local sockets), FORWARD (for packets being routed through
the box), and OUTPUT (for locally-generated packets).

nat:
This table is consulted when a packet that creates a new
connection is encountered. It consists of three built-ins:
PREROUTING (for altering packets as soon as they come in),
OUTPUT (for altering locally-generated packets before rout‐
ing), and POSTROUTING (for altering packets as they are
about to go out).


mangle:
This table is used for specialized packet alteration. Until
kernel 2.4.17 it had two built-in chains: PREROUTING (for
altering incoming packets before routing) and OUTPUT (for
altering locally-generated packets before routing). Since
kernel 2.4.18, three other built-in chains are also sup‐
ported: INPUT (for packets coming into the box itself), FOR‐
WARD (for altering packets being routed through the box),
and POSTROUTING (for altering packets as they are about to
go out).

raw:
This table is used mainly for configuring exemptions from
connection tracking in combination with the NOTRACK target.
It registers at the netfilter hooks with higher priority and
is thus called before ip_conntrack, or any other IP tables.
It provides the following built-in chains: PREROUTING (for
packets arriving via any network interface) OUTPUT (for
packets generated by local processes)
 
Old 06-20-2011, 06:10 PM   #7
theuser
LQ Newbie
 
Registered: Jun 2011
Posts: 18

Original Poster
Rep: Reputation: Disabled
Yes, you are right.

PREROUTING - DNAT for incoming packets
OUTPUT - DNAT for outgoing local packets
POSTROUTING - SNAT for outgoing local/forwarded packets

What do you think?
 
Old 06-20-2011, 10:00 PM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Sounds good to me. So, getting back to your adult website redirection to Google scenario: How are you planning to do it? Honestly, I'd recommend using Squid for this rather than iptables. Or wait, were you just using it like an example?

BTW, this might be getting moved to Networking for more adequate exposure.

Last edited by win32sux; 06-20-2011 at 10:10 PM.
 
Old 06-20-2011, 10:48 PM   #9
theuser
LQ Newbie
 
Registered: Jun 2011
Posts: 18

Original Poster
Rep: Reputation: Disabled
Great, so I will keep that summary on my mind.

Regarding my scenario, it was just an example, I do not need to implement it on real life, but now I'm curious why you recommend squid rather than iptables.

I created the post here because I saw the word "firewall" in the description, but move it to "networking", no problem about that .

Kind regards and thanks for the help.
 
Old 06-21-2011, 12:17 AM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by theuser View Post
Regarding my scenario, it was just an example, I do not need to implement it on real life, but now I'm curious why you recommend squid rather than iptables.
Well, I just see it as the right tool for the job. I mean, HTTP is an application layer protocol, so it makes sense to use Squid instead of iptables (which is meant for dealing with network and transport layer stuff) IMHO. Using Squid also eliminates the need for you to keep track of the adult website's IPs. I know there's other advantages too, but they don't come to mind right now as I'm completely exhausted. Actually, one does come to mind: Things like per-user restrictions aren't feasible with iptables on a dedicated gateway, yet they're a snap with Squid by means of ACLs.

Quote:
I created the post here because I saw the word "firewall" in the description, but move it to "networking", no problem about that .
Yeah it fits here too, no worries. Typically, though, it's going to be the context of the question/discussion that will determine whether it gets moved or not. I guess if we look at it from the point of view that you wanted to do things like keep employees away from dangerous websites, then yeah, it would probably be best to leave it here. Besides, the whole "don't fix it if it ain't broken" thing and all that. Still, let me know if you wish for it to be moved and I'll gladly take care of it for you.

Quote:
Kind regards and thanks for the help.
You're very welcome.

And BTW (in case nobody has said it yet): Welcome to LQ!!!

Last edited by win32sux; 06-21-2011 at 12:24 AM.
 
Old 06-21-2011, 10:23 AM   #11
theuser
LQ Newbie
 
Registered: Jun 2011
Posts: 18

Original Poster
Rep: Reputation: Disabled
Thanks!
 
Old 06-26-2011, 01:11 PM   #12
theuser
LQ Newbie
 
Registered: Jun 2011
Posts: 18

Original Poster
Rep: Reputation: Disabled
Guys, I have a straight forward question:

1. What is the difference between netfilter and iptables?

Regards.
 
Old 06-26-2011, 01:53 PM   #13
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by theuser View Post
Guys, I have a straight forward question:

1. What is the difference between netfilter and iptables?

Regards.
Netfilter is the code in the Linux kernel which allows it to provide packet-filtering functionality. iptables is the userspace tool we use to configure said functionality. The website's front page itself has a better description:
Quote:
netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.
Quote:
iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target).
 
Old 06-27-2011, 07:07 AM   #14
theuser
LQ Newbie
 
Registered: Jun 2011
Posts: 18

Original Poster
Rep: Reputation: Disabled
So is it ok if I define netfilter as the linux kernel module which provides packet filtering functionality and iptables as the tool which make use of that module?
 
Old 06-27-2011, 01:03 PM   #15
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by theuser View Post
So is it ok if I define netfilter as the linux kernel module which provides packet filtering functionality
I'm not an expert, but that definition seems like it might be technically incorrect. Like, if you do an lsmod, you won't see any module named netfilter. What you'll see are Netfilter-related modules for connection tracking, NAT, etc. (in other words, part of the framework described). Netfilter itself is, according to their web page, "a set of hooks inside the Linux kernel".
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
postrouting all except one yawe_frek Linux - Networking 2 12-22-2007 10:13 PM
advantages and disadvantages of nat prerouting / postrouting? Teomari Linux - Networking 2 04-13-2007 08:28 PM
POSTROUTING or PREROUTING czezz Linux - Networking 2 01-23-2006 12:42 PM
mark set on PREROUTING stays until POSTROUTING? eantoranz Linux - Networking 3 07-26-2005 05:50 PM
POSTROUTING just stopped? ryedunn Linux - Networking 9 01-10-2005 09:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration