4

Iptables is often illustrated using diagram diagram

I fail to understand when route lookup (routing tables) is performed:

  1. inside the "Routing Decision" grey boxes? If so, does it mean a packet is routed twice?
  2. after "nat POSTROUTING" and not shown in the picture? That is my current assumption but I could not find any confirmation on the internet. Is there any available reference?
matador
  • 41
  • 2
  • Your assumption is wrong. See the box "Routing Decision". – Michael Hampton Apr 07 '15 at 20:56
  • Thanks - does this mean that route lookup is executed twice on a forwarded packet (once after nat PREROUTING and once before mangle POSTROUTING)? This would seem inefficient and confusing but I am ready to accept. – matador Apr 08 '15 at 10:58

1 Answers1

2

The confusion with that diagram is that not all "Routing Decisions" are created equal. The one after "nat PREROUTING" is a simple local/remote choice; if the packet's destination is local, it goes left, and if it's remote, it goes right. The IP routing table lookup, to determine the packet's next-hop, is the decision before "mangle POSTROUTING". I'm honestly not sure what the one after "local process" is; even loopback traffic goes through netfilter. Perhaps it's for non-IP traffic (which doesn't go through iptables at all), but that's a wild guess.

womble
  • 95,029
  • 29
  • 173
  • 228