image/svg+xml
Netfilter packet flow and hook/table ordering
2011-Dec-18
Jan Engelhardt <jengelh@medozas.de
Jan Engelhardt <jengelh@medozas.de>
http://jengelh.medozas.de/
en_US
Xtables Conntrack Iptables
Shows the packet flow throughout the Netfilter framework.
Joshua Snyder <josh@imagestream.com>
mangle
Netfilter packet flow; hook/table ordering
ebtables
xtables(ip, ip6)
misc other
routingdecision
input
forward
nat
prerouting
mangle
raw
nat
broute
brouting
filter
bridgingdecision
bridgecheck
conntrack
localprocess
filter
input
output
postrouting
interfaceoutput
reroutecheck
socketlookup
xfrm(e.g. ipsec)decode
xfrmencode
ingress
egress
nat table only consultedfor “NEW” connections
Network Layer
Link Layer
FORWARD PATH
OUTPUT PATH
Protocol/Application Layer
INPUT PATH
by Jan Engelhardt, last updated 2011-Dec-18based in part on Joshua Snyder's graph