iptables difference between OUTPUT in filter and OUTPUT in nat

1ndeed · 2021-09-14 08:40:21

So I have a Linux server running Archlinux. I ssh to it while my ip is 192.168.3.123.
If I do this, I can see there are packets running through it.

# iptables -A OUTPUT -d 192.168.3.123 -j ACCEPT
# iptables -vnL                                 
Chain INPUT (policy ACCEPT 18 packets, 1120 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2 packets, 80 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   13  1892 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.3.123

But if I do this, there is no packets running through it.

# iptables -t nat -A OUTPUT -d 192.168.3.123 -j RETURN
# iptables -t nat -vnL                                 
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            192.168.3.123

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

But why? I know this chart. Both OUTPUT in nat and filter have to be processed after a process.
So what gives?

Last edited by 1ndeed (2021-09-14 08:41:30)

Kinrar · 2021-09-14 13:12:02

The main difference is what you can do in each table. Filter is for... filtering and other basic operations, nat for rewriting source / destination (SNAT/DNAT), connection tracking, etc. You won't be able to put a SNAT in the filter table, nor to use DROP in the nat table.

iptables will actually explain that if you try something like

$ iptables -t nat -A OUTPUT -j DROP
iptables v1.8.7 (legacy): 
The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.

Last edited by Kinrar (2021-09-14 13:13:57)

1ndeed · 2021-09-14 13:23:33

Kinrar wrote:

The main difference is what you can do in each table. Filter is for... filtering and other basic operations, nat for rewriting source / destination (SNAT/DNAT), connection tracking, etc. You won't be able to put a SNAT in the filter table, nor to use DROP in the nat table.
iptables will actually explain that if you try something like
$ iptables -t nat -A OUTPUT -j DROP
iptables v1.8.7 (legacy): 
The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.

I know. But the server is running sshd. If I connect to it in the terminal. There must be packets sending through OUTPUT in nat. So these packets will match that rule. But they didn't. There is no packet matched in the nat OUTPUT.

nbd · 2021-09-14 14:27:02

What is the output of

sudo iptables -S

1ndeed · 2021-09-14 16:09:01

nbd wrote:

What is the output of
sudo iptables -S

# iptables -S         
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -d 192.168.3.123/32 -j ACCEPT

# iptables -t nat -S  
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A OUTPUT -d 192.168.3.123/32 -j RETURN

Arch Linux

#1 2021-09-14 08:40:21

iptables difference between OUTPUT in filter and OUTPUT in nat

#2 2021-09-14 13:12:02

Re: iptables difference between OUTPUT in filter and OUTPUT in nat

#3 2021-09-14 13:23:33

Re: iptables difference between OUTPUT in filter and OUTPUT in nat

#4 2021-09-14 14:27:02

Re: iptables difference between OUTPUT in filter and OUTPUT in nat

#5 2021-09-14 16:09:01

Re: iptables difference between OUTPUT in filter and OUTPUT in nat

Board footer