0

If a packet is ACCEPTed from, say, the INPUT chain of the mangle table, will it bypass the INPUT chain of the filter table and go straight to the local process? Or will the INPUT chain of the filter table process the packet again, and has a chance to DROP it?

I understand that you shouldn't use the mangle table to DROP packages, since the mangle table should be used for packet mangling, and not packet filtering. But I am interested in knowing this from the theoretical point of view.

dayuloli
  • 1,253
  • 2
  • 11
  • 19
  • 1
    Usually it's a first come first serve, your packet will be matched by the first rule it encounters and "ignore" the rest. Have a look at this: https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg – Lenniey Feb 21 '19 at 17:22
  • Eh...I completely misinterpreted your question...My comment stands, but you _should not_ use the mangle table for filtering. Have a look at this: http://www.faqs.org/docs/iptables/mangletable.html – Lenniey Feb 21 '19 at 17:29

1 Answers1

3

Each table processes packets independent of each other.

Of course if you DROP a packet in one table, then it will not reach the next table. However, if you ACCEPT a packet, all that means is you're terminating the processing of the packet in the table where you do the ACCEPT, and flow moves on to the next (if any).

If you google for "iptables packet flow diagram" you will find many representations of the packet flow so that it's clear what the order of the tables is.

wurtel
  • 3,864
  • 12
  • 15