User`s manual

TC-6110 Linux User's Manual Managing Communications

3-17

When the NAT table alters the destination address (on inbound packets, in the PREROUTING chain), it is called

Destination Network Address Translation (DNAT), or Port Forwarding. When the NAT table alters the

source address (on outbound packets, in the POSTROUTING chain), it is called Source Network Address

Translation (SNAT), or IP Masquerading. Netfilter conventions distinguish Masquerading from SNAT in the

following way:

• Masquerading is a form of SNAT where you let your firewall automatically detect the external

interface address

• SNAT refers a situation where you explicitly specify what source address will be used when re-writing

the outbound source address field.

The NAT table does not filter packets. Packet filtering is reserved for the Filter Table.

The NAT table utilizes the built-in PREROUTING, OUTPUT, and POSTROUTING rule chains.

The Filter Table

The Filter table is the only table that is responsible for filtering packets; it should never alter them in the ways

that the Mangle and NAT tables do, e.g., it should not alter the information in individual packets. The only work

done by the Filter table consists of executing the targets ACCEPT, DROP, QUEUE, or RETURN.

ACCEPT means the packet continues traversing the chain.

DROP quietly drops the packet, without notifying the sender.

QUEUE passes the packet to userspace, where it may be picked up by the Mangle table, or may be passed

along to other userspace utilities or modules.

RETURN sends the packet back to the rule following the last rule it passed in the previous rule chain; that is,

when a rule is forwarded from one rule chain to another, the RETURN target will send a packet back to the next

in the rule chain from which it was forwarded.

In addition, there one target extension may also be used with the Filter table:

Reject will drop the packet, but send an ICMP notification to the sending machine that the packet has been

dropped.

The Filter table uses the built-in INPUT, OUTPUT, and FORWARD rule chains

The Mangle Table

The Mangle table is primarily used to prioritize certain connections for quality of service optimizations; it is

used for general packet header modification, such as setting the Time-to-Live (TTL) or Type-of-Service (TOS)

fields, or to set an internal mark (called nfmark, and set with the MARK target) to identify the packet for later

processing.

The Five Built-In Rule Chains

The tables handle five built-in chains:

1. All inbound packets hit the PREROUTING chain, with no exceptions. Any changes performed on the packets

here are done before the routing decision and filtering is done. When connections are bound for machines

located on the local subnet this chain will alter the destination IP address address for destination address

translation (DNAT). By the time a packet reaches the PREROUTING chain, all checks on the IP headers have

been completed, but the packet has not yet been routed.

2. The INPUT chain receives all inbound packets which are addressed to the local intranet served by this firewall.

All packets which are addressed to the local intranet will be filtered here, before they continue onwards.

3. The FORWARD chain receives and filters all packets which are addressed to computers which are not located

on the local intranet located behind the firewall, i.e., it redirects packets which are intended to be forwarded

to other parts of the network which are not located on the subnet administered by the firewall, or which have

arrived from sections of the network (not located behind the administered subnet) and are destined for the

open Internet.