FW-IDS – iptables Flowchart v2018-11-14 (1MB)

Many years ago, I started work with iptables, the Linux-based firewall software.  At the time, documentation was sparse, and the details about what happens to a packet during processing were hard to figure out.

Since then, documentation has improved, but I always wished there was a visualization that I could quickly use to trace a packet (observed or theoretical) through the various tables and chains.  While creating content for SANS FOR572, Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response, I decided to create a flowchart myself.  Since I find it most useful in color, I’ve provided the document here.

Updates:

  • 2018-11-14: Reflects that outbound interface is determined by routing decision, not iptables.
  • 2018-09-01: Reflects that localhost-sourced/destined packets will not traverse the nat table’s PREROUTING/POSTROUTING chains, respectively.  Thanks to commenter Binarus for the pointer.
  • 2017-03-30: Thanks to commenter Eike for noting that some terminology with the outbound interface selection was unclear.
  • 2017-02-01: Thanks to commenter arm for noting that newer kernels also provide a NAT|input chain.
  • 2016-11-18: Thanks to commenter Andrey for pointing out an error, which has been corrected.  I’ve also adjusted the arrangement and cleaned up the logic a bit in this version.

I hope you find the document useful.  If you have any input to make it better, please let me know.