Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 644 — #670
i
i
i
i
i
i
i
i
filter This table holds the bulk of the filter rules, because it implements
the packet filtering mechanism in the stricter sense, which determines
whether packets are let through (ACCEPT) or discarded (DROP), for
instance.
nat This table defines any changes to the source and target addresses of
packets. Using these functions also allows you to implement mas-
querading, which is a special case of NAT used to link a private net-
work with the Internet.
mangle The rules held in this table make it possible to manipulate values
stored in IP headers (such as the type of service).
The above-mentioned tables contain several predefined chains to match
packets:
PREROUTING This chain is applied to incoming packets.
INPUT This chain is applied to packets destined for the system’s internal
processes.
FORWARD This chain is applied to packets that are only routed through the
system.
OUTPUT This chain is applied to packets originating from the system itself.
POSTROUTING This chain is applied to all outgoing packets.
Figure 26.7 on the facing page illustrates the paths along which a network
packet may travel on a given system. For the sake of simplicity, the figure
lists tables as parts of chains, but in reality these chains are held within the
tables themselves.
In the simplest of all possible cases, an incoming packet destined for the
system itself arrives at the eth0 interface. The packet is first referred to the
PREROUTING chain of the mangle table then to the PREROUTING chain
of the nat table. The following step, concerning the routing of the packet,
determines that the actual target of the packet is a process of the system
itself. After passing the INPUT chains of the mangle and the filter table,
the packet finally reaches its target, provided that the rules of the filter
table are actually matched.
644 26.3. Masquerading and Firewalls