Many years ago, I started work with iptables, the Linux-based firewall software. At the time, documentation was sparse, and the details about what happens to a packet during processing were hard to figure out.
Since then, documentation has improved, but I always wished there was a visualization that I could quickly use to trace a packet (observed or theoretical) through the various tables and chains. While creating content for SANS FOR572, Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response, I decided to create a flowchart myself. Since I find it most useful in color, I’ve provided the document here.
- 2018-11-14: Reflects that outbound interface is determined by routing decision, not iptables.
- 2018-09-01: Reflects that localhost-sourced/destined packets will not traverse the nat table’s PREROUTING/POSTROUTING chains, respectively. Thanks to commenter Binarus for the pointer.
- 2017-03-30: Thanks to commenter Eike for noting that some terminology with the outbound interface selection was unclear.
- 2017-02-01: Thanks to commenter arm for noting that newer kernels also provide a NAT|input chain.
- 2016-11-18: Thanks to commenter Andrey for pointing out an error, which has been corrected. I’ve also adjusted the arrangement and cleaned up the logic a bit in this version.
I hope you find the document useful. If you have any input to make it better, please let me know.