Why does SNAT happen in POSTROUTING chain and DNAT in PREROUTING chain?

iptables netfilter
11,290

Solution 1

Usually the main criterion for SNAT is "traffic that's going out a given interface" (i.e. -o eth0). What interface a packet will go out is determined by routing, so to apply that criterion you need to run it in a POSTROUTING context.

DNAT rewrites the destination address of a packet, meaning it can affect where a packet goes to — for example, a packet that looks like it's destined for the gateway could end up being rewritten to go to a machine on the network instead. Since you want the routing to be able to take that rewritten destination into account when it makes its decision, so that the packet actually goes where it needs to, DNAT should run in a PREROUTING context.

Solution 2

I'm pretty sure anything coming from the local machine never goes through the PREROUTING table, as seen in this awesome ASCII figure.

Solution 3

As the chain names suggest, PREROUTING is done at first when a packet is received and is thus routed based on where it is going (destination). After all other routing rules have been applied, the POSTROUTING chain will determine where it goes based on where it came from (source).

For example, on my server, incoming ports that are to be forwarded (NATed) are all defined in the PREROUTING chain as DNAT, and all packets that come from the NATed interfaces, go through the POSTROUTING chain as SNAT, and consequently (in this case), go through the filter FORWARD chain.

Solution 4

One else nice schematic in ASCII that might help to figure out how does it work, it is handy for beginners to have it in console when working with iptables rules:

#
# (PACKET IN)->-[PREROUTING]->- ->----------->-[FORWARD]->------------>- ->-[POSTROUTING]->-(PACKET OUT)
#               -mangle        |               -mangle                  |   -mangle
#               -nat (dst)     |               -filter                  |   -nat (src)
#                              |                                        |
#                               ->-[INPUT]->-(APPLICATION)->-[OUTPUT]->-
#                                  -mangle                   -mangle
#                                  -filter                   -filter
#                                                            -nat (dst)
#

(* Edited, considering the comments below...)

Share:
11,290

Related videos on Youtube

comeback4you
Author by

comeback4you

Updated on September 18, 2022

Comments

  • comeback4you
    comeback4you over 1 year

    Why does SNAT(modifies source IP and/or ports) happen in nat table POSTROUTING chain, i.e after routing? And why does DNAT(modifies destination IP ant/or ports) happen in PREROUTING chain? I guess latter is because there might be multiple NICs in PC with different private networks and PC does not know how to route packet if destination IP address is still publickly routable address? However, for SNAT I can not see a reason why this couldn't take place in PREROUTING.

  • comeback4you
    comeback4you almost 8 years
    Yes, but is this important? I mean you would do DNAT only in case the PC acts as a router and at least one of the LAN networks use private IP addresses.
  • comeback4you
    comeback4you almost 8 years
    Indeed, good points! So SNAT couldn't happen in PREROUTING chain because this would mean that all the packets get SNAT -ed while actually this would be desired only for example for Internet facing interface? And DNAT needs to happen in PREROUTING because destination IP is changed and thus it needs to happen before routing decision in order to be routed via correct (LAN-facing) interface?
  • Aaron D. Marasco
    Aaron D. Marasco almost 8 years
    It's important because you asked why you can't do SNAT in prerouting and I answered - packets whose source is the local machine never visit that table. That's why it can't.
  • comeback4you
    comeback4you almost 8 years
    Ok, but in which scenario would you do SNAT for a traffic coming from the local machine? For example let's say that there is PC with eth1 facing LAN(IP address 10.10.10.1/24) and eth0 facing Internet(IP address 198.51.100.1/24)- all the traffic going out from this machine to Internet will simply use 198.51.100.1 as a source IP address and no SNAT is needed. IMHO SNAT is needed only in case traffic flows through the PC and then it goes through the PREROUTING. Or am I missing something?
  • AdminBee
    AdminBee about 3 years
    Welcome to the site, and thank you for your contribution. Please note that link-only answers are discouraged, as the link may become invalid or the linked content change. Please edit your answer to include at least a summary of the linked explanation.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

forward packets from one interface to another interface using iptables
How is the IFB device positioned in the packet flow of the Linux kernel
How to match properly against an IP set of type 'hash:ip,port'?
URL Filtering with IP tables
Is iptables string matching still supported?
-o in iptables is for specifying the interface for OUTPUT, FORWARD, and POSTROUTING Correct?
How to list all network connections Centos 7 (Connection tracking)
Best way to filter/limit ARP packets on embedded Linux
How does iptable work with linux bridge?
What is the difference between NAT OUTPUT chain and NAT POSTROUTING chain?