Are iptables prerouting (DNAT) packet changes visible to subsequent chains?

Question

I was reading Rusty Russell's NAT Howto when I came across this section:

6.2.  Destination NAT

  This is done in the PREROUTING chain, just as the packet comes in;
  this means that anything else on the Linux box itself (routing, packet
  filtering) will see the packet going to its `real' destination.

My understanding of what he means by real destination is the original destination of the packet, prior to being altered by a rule on the PREROUTING chain, which is slightly perturbing because my previous understanding was the opposite - i.e. that subsequent rules see the DNAT'd destination, not the original. By logging the FORWARD chain of a local VM I think that I'm right, because I can see the DNAT'd IP in the DST field.

So, my question is, what does Rusty mean here? I'm considering writing to Rusty to point out that this wording is unclear, it's open to interpretation what the real IP is.

Xavier Lucas · Accepted Answer · 2014-11-16T23:48:03.537

2

Note the quotation marks.

The 'real' destination here is the destination IP after DNAT i.e. the actual IP packets will be sent to. As both IPs somewhow exist in the process, the term real must be balanced that's why you see this notation.

edited Nov 16 '14 at 23:48

answered Nov 16 '14 at 23:37

Xavier Lucas

12,815
2
44
50

Are iptables prerouting (DNAT) packet changes visible to subsequent chains?

1 Answers1