What's the difference between PREROUTING and FORWARD in iptables?

networking iptables nat
90,347

Solution 1

NAT Table:

This table should only be used for NAT (Network Address Translation) on different packets. In other words, it should only be used to translate the packet's source field or destination field.

Filter Table:

The filter table is mainly used for filtering packets. We can match packets and filter them in whatever way we want. This is the place that we actually take action against packets and look at what they contain and DROP or /ACCEPT them, depending on their content. Of course we may also do prior filtering; however, this particular table is the place for which filtering was designed.

In Traversing of tables and chains we can see that filter's FORWARD chain is traversed only by forwarded packets (packets that come from network AND go out to network), i.e. your computer is acting like a router, while nat's PREROUTING chain is traversed by both forwarded packets and packets whose destination is the local host.

You should use nat's PREROUTING only to change the destination address of the packets and filter's FORWARD only for filtering (dropping/accepting packets).

If we get a packet into the first routing decision that is not destined for the local machine itself, it will be routed through the FORWARD chain. If the packet is, on the other hand, destined for an IP address that the local machine is listening to, we would send the packet through the INPUT chain and to the local machine. enter image description here Packets may be destined for the local machine, but the destination address may be changed within the PREROUTING chain by doing NAT. Since this takes place before the first routing decision, the packet will be looked upon after this change. Because of this, the routing may be changed before the routing decision is done. Do note, that all packets will be going through one or the other path in this image. If you DNAT a packet back to the same network that it came from, it will still travel through the rest of the chains until it is back out on the network.

Solution 2

PREROUTING: This chain is used to make any routing related decisions before (PRE) sending any packets. Always remember that in PREROUTING/POSTROUTING i.e. NAT table the ACCEPT/DROP/REJECT etc targets of the default FILTER table will not work. The NAT table is only used for taking routing decisions. You should use PREROUTING when taking any routing decisions i.e. the decisions which are needed to be taken before the packet will start traversing through the network. Here is an example, we are redirecting any traffic that just reached the server on port 80 to the port 8080:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

FORWARD: As the name suggests, The FORWARD chain of FILTER table is used to forward the packets from a source to a destination, here the source and destination are two different hosts. So, as you can imagine FORWARD rules are basically used on servers where one host is sending/receiving traffic from another host via the server. When the packet is generated from the server the chain is OUTPUT i.e. the traffic is going out from itself whereas INPUT chain means the the packets are meant for the server itself only. Here is an example of FORWARD chain where any TCP traffic received on port 80 on interface eth0 meant for the host 192.168.0.4 will be accepted and forwarded to 192.168.0.4:

iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 192.168.0.4 -j ACCEPT
Share:
90,347

Related videos on Youtube

GheorGhe
Author by

GheorGhe

Updated on September 18, 2022

Comments

  • GheorGhe
    GheorGhe over 1 year

    I am trying to understand how this system works and I have problems to understand the difference between using NAT PREROUTING or filter FORWARD. From what I understand, the PREROUTE can send the packet to another server, avoiding the filter. If NAT can handle this via PREROUTE, what is the purpose of having a FORWARD rule in the filter?

  • guntbert
    guntbert over 9 years
    Your use of "hosts" seems weird. Which table is used when depends primarily on the local interfaces a package has come in and is intended to exit.
  • heemayl
    heemayl over 9 years
    which part seems weird? i have used the notion of hosts to indicate the sending & receiving parties..
  • guntbert
    guntbert over 9 years
    I am talking about the paragraph FORWARD : that table is used when a packet coming in through one interface is destined for another interface (as opposed to local host)
  • heemayl
    heemayl over 9 years
    oh..ok..i got it....yeah i should use interface....just use hosts to make it easy to picture..i will change that when i will be infront of my computer.
  • heemayl
    heemayl over 9 years
    @guntbert: just got my head straight. did not read your last comment carefully enough. I think you are mistaken in the context of two different interfaces for the FORWARD chain. When packets are being transferred from one host of a LAN to another host of a LAN, the packets will go through just a single interface and the chain used will be FORWARD although here the server (medium) will not act as a router in a strict sense rather can be thought of as a switch.
  • guntbert
    guntbert over 9 years
    Ack, the "other" interface still may be the same in the end (we are still acting as a router (L3) instead of as a switch (L2) though) :-) -- My main point should have been: the FORWARD chain is used whenever the packet is not destined for localhost, no matter which (external) hosts are in the game - so: routing decisions should take place there while NAT (changing a packets source/destination-address) happens in the PREROUTING/POSTROUTNG chains of the nat table.
  • SAMPro
    SAMPro almost 4 years
    In the picture you referenced, there are mentioned routing decisions in multiple location. I think these decisions are related to routes that may be someone defined via ip route. May you describe what is the diff between these three and what routes is activated on every stage?
  • Alan Evangelista
    Alan Evangelista almost 3 years
    @heemayl (1) Why is --dport 80 instead of 8080, if the packet goes through the PREROUTING chain before the FORWARD one? (2) So a network address translation always needs 2 rules in iptables (one with the prerouting chain and another one with the forward chain) ? Is there any way to specify it in a single iptables command in the CLI?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

NAT using iptables on Ubuntu 16.04 doesn't work
Using iptables SNAT based on source interface and ip address
Randomize external port when doing NAT with iptables
How can I do DNAT and SNAT on Windows 7?
Mark packets with iptables by destination mac address
iptables NAT & virtual machine networking
KVM Guest with NAT + Bridged networking
Linux - two subnets, one interface, one gateway - NAT the additional subnet
Routing application traffic through specific interface
How to set mark on packet when forwarding it in nat prerouting table?