* mangle table traversal
@ 2002-06-20 20:16 Shinju
2002-06-20 21:00 ` Antony Stone
0 siblings, 1 reply; 5+ messages in thread
From: Shinju @ 2002-06-20 20:16 UTC (permalink / raw)
To: netfilter
Hey folks.
Do packets always traverse the chain in the 'mangle' table before they
traverse the corresponding chain in other tables? In other words, is this
flow correct?...
...manglePREROUTING --> natPREROUTING...
...mangleINPUT --> filterINPUT...
...mangleOUTPUT --> natOUTPUT --> filterOUTPUT...
...mangleFORWARD --> filterFORWARD...
...manglePOSTROUTING --> natPOSTROUTING...
thanks
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: mangle table traversal
2002-06-20 20:16 mangle table traversal Shinju
@ 2002-06-20 21:00 ` Antony Stone
2002-06-20 21:14 ` Ben
0 siblings, 1 reply; 5+ messages in thread
From: Antony Stone @ 2002-06-20 21:00 UTC (permalink / raw)
To: netfilter
On Thursday 20 June 2002 9:16 pm, Shinju wrote:
> Hey folks.
>
> Do packets always traverse the chain in the 'mangle' table before they
> traverse the corresponding chain in other tables? In other words, is this
> flow correct?...
>
> ...manglePREROUTING --> natPREROUTING...
> ...mangleINPUT --> filterINPUT...
> ...mangleOUTPUT --> natOUTPUT --> filterOUTPUT...
> ...mangleFORWARD --> filterFORWARD...
> ...manglePOSTROUTING --> natPOSTROUTING...
You can eaily check this for yourself by putting a LOG target as the first
rule into every chain. eg:
iptables -t mangle -I PREROUTING -j LOG --log-prefix=PreMangle
iptables -t mangle -I INPUT -j LOG --log-prefix=InMangle
iptables -t mangle -I FORWARD -j LOG --log-prefix=ForMangle
iptables -t mangle -I POSTROUTING -j LOG --log-prefix=PostMangle
iptables -t mangle -I OUTPUT -j LOG --log-prefix-OutMangle
iptables -t filter -I PREROUTING -j LOG --log-prefix=PreFilt
iptables -t filter -I INPUT -j LOG --log-prefix=InFilt
iptables -t filter -I FORWARD -j LOG --log-prefix=ForFilt
iptables -t filter -I POSTROUTING -j LOG --log-prefix=PostFilt
iptables -t filter -I OUTPUT -j LOG --log-prefix-OutFilt
iptables -t nat -I PREROUTING -j LOG --log-prefix=PreNat
iptables -t nat -I POSTROUTING -j LOG --log-prefix=PostNat
iptables -t nat -I OUTPUT -j LOG --log-prefix-OutNat
Then just send somepackets through the machine and look at the log file to
see what order they went through the chains/tables.
Antony.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: mangle table traversal
2002-06-20 21:00 ` Antony Stone
@ 2002-06-20 21:14 ` Ben
2002-06-20 21:17 ` Antony Stone
2002-06-20 21:23 ` Ron Gedye
0 siblings, 2 replies; 5+ messages in thread
From: Ben @ 2002-06-20 21:14 UTC (permalink / raw)
To: Antony Stone; +Cc: netfilter
Interestingly, iptables 1.2.6a won't let me attach a LOG target to any of
the output chains. I get this:
bash-2.05a# iptables -t mangle -I OUTPUT -j LOG --log-prefix-OutMangle
iptables v1.2.6a: Unknown arg `--log-prefix-OutMangle'
Is that expected behavior, and if so, why?
On Thu, 20 Jun 2002, Antony Stone wrote:
> On Thursday 20 June 2002 9:16 pm, Shinju wrote:
>
> > Hey folks.
> >
> > Do packets always traverse the chain in the 'mangle' table before they
> > traverse the corresponding chain in other tables? In other words, is this
> > flow correct?...
> >
> > ...manglePREROUTING --> natPREROUTING...
> > ...mangleINPUT --> filterINPUT...
> > ...mangleOUTPUT --> natOUTPUT --> filterOUTPUT...
> > ...mangleFORWARD --> filterFORWARD...
> > ...manglePOSTROUTING --> natPOSTROUTING...
>
> You can eaily check this for yourself by putting a LOG target as the first
> rule into every chain. eg:
>
> iptables -t mangle -I PREROUTING -j LOG --log-prefix=PreMangle
> iptables -t mangle -I INPUT -j LOG --log-prefix=InMangle
> iptables -t mangle -I FORWARD -j LOG --log-prefix=ForMangle
> iptables -t mangle -I POSTROUTING -j LOG --log-prefix=PostMangle
> iptables -t mangle -I OUTPUT -j LOG --log-prefix-OutMangle
> iptables -t filter -I PREROUTING -j LOG --log-prefix=PreFilt
> iptables -t filter -I INPUT -j LOG --log-prefix=InFilt
> iptables -t filter -I FORWARD -j LOG --log-prefix=ForFilt
> iptables -t filter -I POSTROUTING -j LOG --log-prefix=PostFilt
> iptables -t filter -I OUTPUT -j LOG --log-prefix-OutFilt
> iptables -t nat -I PREROUTING -j LOG --log-prefix=PreNat
> iptables -t nat -I POSTROUTING -j LOG --log-prefix=PostNat
> iptables -t nat -I OUTPUT -j LOG --log-prefix-OutNat
>
> Then just send somepackets through the machine and look at the log file to
> see what order they went through the chains/tables.
>
>
>
> Antony.
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: mangle table traversal
2002-06-20 21:14 ` Ben
@ 2002-06-20 21:17 ` Antony Stone
2002-06-20 21:23 ` Ron Gedye
1 sibling, 0 replies; 5+ messages in thread
From: Antony Stone @ 2002-06-20 21:17 UTC (permalink / raw)
To: netfilter
On Thursday 20 June 2002 10:14 pm, Ben wrote:
> Interestingly, iptables 1.2.6a won't let me attach a LOG target to any of
> the output chains. I get this:
>
> bash-2.05a# iptables -t mangle -I OUTPUT -j LOG --log-prefix-OutMangle
> iptables v1.2.6a: Unknown arg `--log-prefix-OutMangle'
Sorry - my typo....
try using
iptables -t mangle -I OUTPUT -j LOG --log-prefix=OutMangle
instead :-)
Antony.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: mangle table traversal
2002-06-20 21:14 ` Ben
2002-06-20 21:17 ` Antony Stone
@ 2002-06-20 21:23 ` Ron Gedye
1 sibling, 0 replies; 5+ messages in thread
From: Ron Gedye @ 2002-06-20 21:23 UTC (permalink / raw)
To: netfilter
Syntax:
> bash-2.05a# iptables -t mangle -I OUTPUT -j LOG --log-prefix-OutMangle
should be --log-prefix=OutMangle
----- Original Message -----
From: "Ben" <bench@silentmedia.com>
To: "Antony Stone" <Antony@Soft-Solutions.co.uk>
Cc: <netfilter@lists.samba.org>
Sent: Thursday, June 20, 2002 4:14 PM
Subject: Re: mangle table traversal
> Interestingly, iptables 1.2.6a won't let me attach a LOG target to any of
> the output chains. I get this:
>
> bash-2.05a# iptables -t mangle -I OUTPUT -j LOG --log-prefix-OutMangle
> iptables v1.2.6a: Unknown arg `--log-prefix-OutMangle'
>
> Is that expected behavior, and if so, why?
>
> On Thu, 20 Jun 2002, Antony Stone wrote:
>
> > On Thursday 20 June 2002 9:16 pm, Shinju wrote:
> >
> > > Hey folks.
> > >
> > > Do packets always traverse the chain in the 'mangle' table before they
> > > traverse the corresponding chain in other tables? In other words, is
this
> > > flow correct?...
> > >
> > > ...manglePREROUTING --> natPREROUTING...
> > > ...mangleINPUT --> filterINPUT...
> > > ...mangleOUTPUT --> natOUTPUT --> filterOUTPUT...
> > > ...mangleFORWARD --> filterFORWARD...
> > > ...manglePOSTROUTING --> natPOSTROUTING...
> >
> > You can eaily check this for yourself by putting a LOG target as the
first
> > rule into every chain. eg:
> >
> > iptables -t mangle -I PREROUTING -j LOG --log-prefix=PreMangle
> > iptables -t mangle -I INPUT -j LOG --log-prefix=InMangle
> > iptables -t mangle -I FORWARD -j LOG --log-prefix=ForMangle
> > iptables -t mangle -I POSTROUTING -j LOG --log-prefix=PostMangle
> > iptables -t mangle -I OUTPUT -j LOG --log-prefix-OutMangle
> > iptables -t filter -I PREROUTING -j LOG --log-prefix=PreFilt
> > iptables -t filter -I INPUT -j LOG --log-prefix=InFilt
> > iptables -t filter -I FORWARD -j LOG --log-prefix=ForFilt
> > iptables -t filter -I POSTROUTING -j LOG --log-prefix=PostFilt
> > iptables -t filter -I OUTPUT -j LOG --log-prefix-OutFilt
> > iptables -t nat -I PREROUTING -j LOG --log-prefix=PreNat
> > iptables -t nat -I POSTROUTING -j LOG --log-prefix=PostNat
> > iptables -t nat -I OUTPUT -j LOG --log-prefix-OutNat
> >
> > Then just send somepackets through the machine and look at the log file
to
> > see what order they went through the chains/tables.
> >
> >
> >
> > Antony.
> >
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2002-06-20 21:23 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-06-20 20:16 mangle table traversal Shinju
2002-06-20 21:00 ` Antony Stone
2002-06-20 21:14 ` Ben
2002-06-20 21:17 ` Antony Stone
2002-06-20 21:23 ` Ron Gedye
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.