What's the difference between PREROUTING and FORWARD in iptables?
NAT Table:
This table should only be used for NAT (Network Address Translation) on different packets. In other words, it should only be used to translate the packet's source field or destination field.
Filter Table:
The filter table is mainly used for filtering packets. We can match packets and filter them in whatever way we want. This is the place that we actually take action against packets and look at what they contain and DROP or /ACCEPT them, depending on their content. Of course we may also do prior filtering; however, this particular table is the place for which filtering was designed.
In Traversing of tables and chains we can see that filter's FORWARD chain is traversed only by forwarded packets (packets that come from network AND go out to network), i.e. your computer is acting like a router, while nat's PREROUTING chain is traversed by both forwarded packets and packets whose destination is the local host.
You should use nat's PREROUTING only to change the destination address of the packets and filter's FORWARD only for filtering (dropping/accepting packets).
If we get a packet into the first routing decision that is not destined for the local machine itself, it will be routed through the FORWARD chain. If the packet is, on the other hand, destined for an IP address that the local machine is listening to, we would send the packet through the INPUT chain and to the local machine. Packets may be destined for the local machine, but the destination address may be changed within the PREROUTING chain by doing NAT. Since this takes place before the first routing decision, the packet will be looked upon after this change. Because of this, the routing may be changed before the routing decision is done. Do note, that all packets will be going through one or the other path in this image. If you DNAT a packet back to the same network that it came from, it will still travel through the rest of the chains until it is back out on the network.
PREROUTING: This chain is used to make any routing related decisions before (PRE) sending any packets. Always remember that in PREROUTING/POSTROUTING
i.e. NAT
table the ACCEPT/DROP/REJECT
etc targets of the default FILTER
table will not work. The NAT
table is only used for taking routing decisions. You should use PREROUTING
when taking any routing decisions i.e. the decisions which are needed to be taken before the packet will start traversing through the network. Here is an example, we are redirecting any traffic that just reached the server on port 80 to the port 8080:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
FORWARD: As the name suggests, The FORWARD
chain of FILTER
table is used to forward the packets from a source to a destination, here the source and destination are two different hosts. So, as you can imagine FORWARD
rules are basically used on servers where one host is sending/receiving traffic from another host via the server. When the packet is generated from the server the chain is OUTPUT
i.e. the traffic is going out from itself whereas INPUT
chain means the the packets are meant for the server itself only. Here is an example of FORWARD
chain where any TCP
traffic received on port 80 on interface eth0
meant for the host 192.168.0.4
will be accepted and forwarded to 192.168.0.4
:
iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 192.168.0.4 -j ACCEPT