FW-IDS - iptables Flowchart v2017-03-30

FW-IDS – iptables Flowchart v2017-03-30 (1 MB)

Many years ago, I started work with iptables, the Linux-based firewall software.  At the time, documentation was sparse, and the details about what happens to a packet during processing were hard to figure out.

Since then, documentation has improved, but I always wished there was a visualization that I could quickly use to trace a packet (observed or theoretical) through the various tables and chains.  While creating content for SANS FOR572, Advanced Network Forensics and Analysis, I decided to create a flowchart myself.  Since I find it most useful in color, I’ve provided the document here.


  • 2017-03-30: Thanks to commenter Eike for noting that some terminology with the outbound interface selection was unclear.
  • 2017-02-01: Thanks to commenter arm for noting that newer kernels also provide a NAT|input chain.
  • 2016-11-18: Thanks to commenter Andrey for pointing out an error, which has been corrected.  I’ve also adjusted the arrangement and cleaned up the logic a bit in this version.

I hope you find the document useful.  If you have any input to make it better, please let me know.