iptables FORWARD and INPUT

Question

RedHat has a great doc about iptables (a little bit long), but the subject to cover is complex and there are so many different use cases that I don't see how to avoid it.

Here is the chapter about FORWARD and NAT Rules. As it states:

For example, if you want to forward incoming HTTP requests to your dedicated Apache HTTP Server at 172.31.0.23, use the following command as the root user:

~]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.0.23:80

Here is what happens:

• your linux gateway receives a packet from your router. The packet header has:
  • source: x.x.x.x:y (sender IP from the internet & source port used for packet transmission)
  • destination: 192.168.1.1:80 (assuming your linux gateway IP on external NIC, ie p1p1)
• your linux gateway applies the PREROUTING chain to find a match. Assuming that you have typed what's above, the packet matches the rule and then calls (jumps -j) to the DNAT function (Destination Network Address Translation) which changes the destination of the packet header from the initial 192.168.1.1:80 to 172.31.0.23:80.
• then, the packet arrives to the Routing Decision. The packet destination is now 172.31.0.23:80.
  • Your linux gateway asks itself: Is it for me (192.168.1.1:80) ? No, so I won't send it to the INPUT chain.
  • => I'll send it to the FORWARD chain.
• since you have set the rules to FORWARD all on your local network (table filter chain FORWARD), the packet should be forwarded correctly to your local Apache HTTP Server (for example).

Hope it'll help to understand a little bit more how internal routing works with iptables.

INPUT, FORWARD, and OUTPUT are separate. A packet will only hit one of the three chains.

If the destination is to this server, it hits the INPUT chain. If its source is from this server, it hits OUTPUT. If its source and destination are both other machines—it's being routed through the server—then it hits the FORWARD chain.