Mdthbs

Four ships at the ocean with the same distance

What is the shape of the upper boundary of water hitting a screen?

Which is a better conductor, a very thick rubber wire or a very thin copper wire?

What are the effects of abstaining from eating a certain flavor?

How to have a filled pattern

What was the nature of the known bugs in the Space Shuttle software?

How can I review my manager, who is fine?

What is the highest level of accuracy in motion control a Victorian society could achieve?

Can we share mixing jug/beaker for developer, fixer and stop bath?

Intern not wearing safety equipment; how could I have handled this differently?

How do resistors generate different heat if we make the current fixed and changed the voltage and resistance? Notice the flow of charge is constant

Is this car delivery via Ebay Motors on Craigslist a scam?

Name for an item that is out of tolerance or over a threshold

Why do Martians have to wear space helmets?

How do I explain that I don't want to maintain old projects?

Need a non-volatile memory IC with near unlimited read/write operations capability

Uniform initialization by tuple

Why are co-factors 4 and 8 so popular when co-factor is more than one?

How to reclaim personal item I've lent to the office without burning bridges?

Category-theoretic treatment of diffs, patches and merging?

How was the website able to tell my credit card was wrong before it processed it?

Examples of fluid (including air) being used to transmit digital data?

How did the IEC decide to create kibibytes?

Passwordless authentication - how and when to invalidate a login code

What is the difference between NAT OUTPUT chain and NAT POSTROUTING chain?

Difference between SNAT and MasqueradeWhat is the difference between OUTPUT and FORWARD chains in iptables?Dropping packets before mangle POSTROUTINGUnable to get NAT working via iptables PREROUTING chain-o in iptables is for specifying the interface for OUTPUT, FORWARD, and POSTROUTING Correct?OUTPUT chain rules in iptablesIptables not working as I expect: response package not DNATed as expected with DNAT in PREROUTINGWhen and how to use chain priorities in nftablesWhat is a chain in iptables?Assigning a IPTABLES custom chain to the OUTPUT chain

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}

2

IF Nating is done in OUTPUT chain of the NAT table, then what is the function of SNAT in POSTROUTING

iptables netfilter

share|improve this question

edited Nov 3 '17 at 11:15

sebasth

9,15733 gold badges2525 silver badges5050 bronze badges

asked Nov 3 '17 at 9:22

ArjunChArjunCh

1611 silver badge33 bronze badges

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  According to your table (posted as an image — please fix that. Just copy and paste the descriptions; it doesn't have to be perfect) the OUTPUT table is only for traffic from the firewall itself (local sockets), e.g., not for forwarded traffic from machines "behind" it. Not sure what else you're looking for, could you clarify?
  
  – derobert
  Nov 3 '17 at 10:10
  

  
  
  
  

add a comment | 

2

IF Nating is done in OUTPUT chain of the NAT table, then what is the function of SNAT in POSTROUTING

iptables netfilter

share|improve this question

edited Nov 3 '17 at 11:15

sebasth

9,15733 gold badges2525 silver badges5050 bronze badges

asked Nov 3 '17 at 9:22

ArjunChArjunCh

1611 silver badge33 bronze badges

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  According to your table (posted as an image — please fix that. Just copy and paste the descriptions; it doesn't have to be perfect) the OUTPUT table is only for traffic from the firewall itself (local sockets), e.g., not for forwarded traffic from machines "behind" it. Not sure what else you're looking for, could you clarify?
  
  – derobert
  Nov 3 '17 at 10:10
  

  
  
  
  

add a comment | 

IF Nating is done in OUTPUT chain of the NAT table, then what is the function of SNAT in POSTROUTING

iptables netfilter

share|improve this question

edited Nov 3 '17 at 11:15

sebasth

9,15733 gold badges2525 silver badges5050 bronze badges

asked Nov 3 '17 at 9:22

ArjunChArjunCh

1611 silver badge33 bronze badges

share|improve this question

edited Nov 3 '17 at 11:15

sebasth

9,15733 gold badges2525 silver badges5050 bronze badges

asked Nov 3 '17 at 9:22

ArjunChArjunCh

1611 silver badge33 bronze badges

share|improve this question

edited Nov 3 '17 at 11:15

sebasth

9,15733 gold badges2525 silver badges5050 bronze badges

asked Nov 3 '17 at 9:22

ArjunChArjunCh

1611 silver badge33 bronze badges

edited Nov 3 '17 at 11:15

sebasth

9,15733 gold badges2525 silver badges5050 bronze badges

edited Nov 3 '17 at 11:15

sebasth

9,15733 gold badges2525 silver badges5050 bronze badges

asked Nov 3 '17 at 9:22

ArjunChArjunCh

1611 silver badge33 bronze badges

asked Nov 3 '17 at 9:22

ArjunChArjunCh

1611 silver badge33 bronze badges

2 Answers
2

active

oldest

votes

6

Have a look at this diagram. The green boxes are for iptables, the blue are for ebtables (ignore those).

So you see that the OUTPUT chain is only traversed for packets produced by local applications, while the POSTROUTING chain is traversed by all packets, including those routed from somewhere else.

There are two subcases for network address translation (NAT): SNAT translates the source address of the packet, while DNAT translates the destination address of the packet.

You are restricted in which chains you can do either: nat/PREROUTING and nat/OUTPUT can do DNAT, while nat/POSTROUTING and possibly nat/INPUT (not sure if this still works) can do SNAT.

share|improve this answer

answered Nov 3 '17 at 11:32

dirktdirkt

18.3k33 gold badges1515 silver badges3939 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Can you explain how nat/OUTPUT allows to do DNAT? My understanding is that you DNAT incoming packages, and SNAT outcoming ones. And nat/OUTPUT processes the outcoming ones. Which means it allows to do SNAT. What am I missing here?
  
  – x-yuri
  Jun 27 at 18:38
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @x-yuri I can't explain the design choice of the kernel developers, and I've often been in a situation where I would have needed it the other way around (or just be able to DNAT and SNAT or any sort of rewriting everywhere). That said, packets incoming from a network interface are apparently treated the same way as packets "incoming" from an application to the kernel through the OUTPUT chain, hence both can do DNAT.
  
  – dirkt
  Jun 28 at 5:57
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Indeed, I can see here a brief mention that the OUTPUT chain can be used for DNAT. But what I don't understand is not the kernel developers' decision. According to the diagram you mentioned nat/OUTPUT comes after the reroute check. Which means you can't change the destination. Now that I think about it, that's probably a mistake. Or it may not reflect the current state of affairs.
  
  – x-yuri
  Jun 28 at 12:59
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  ...But if nat/OUTPUT is for DNAT, why would I need that? I can see a case where I'm behind a router, and the packets coming from the internet gets DNAT'ed on the router. But why would I need to DNAT packets coming from a local application?
  
  – x-yuri
  Jun 28 at 13:00
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Sorry, as I said, I can't explain the "why". If I had designed it, I'd have allowed rewriting in any way everywhere. I have no idea where those restrictions come from, or if they are even necessary.
  
  – dirkt
  Jun 28 at 15:59
  

  
  
  
  

add a comment | 

0

@ x-yuri
I was also confused about output NAT but finally I got the answer.
Prerouting & Postrouting NAT are both for external NAT when some packets are coming to your interface or going out of it and you wanna NAT the address. But OUTPUT NAT is for your local network NAT, I mean when the packets are starting from your application.
I think this is a good example to figure it out better.
When you wanna change the port and IP address of a traffic as a transparent proxy such as what we do in Nginx.
We can use something like this:

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 192.168.100.10:8080

you send traffic on port 80 to the other host on your network 192.168.100.10 which is listening on it's port 8080

I think it's the point
I hope it is true and what you were asking for

share|improve this answer

answered 45 mins ago

Vhaid KhorasaniVhaid Khorasani

1

New contributor

Vhaid Khorasani is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f402233%2fwhat-is-the-difference-between-nat-output-chain-and-nat-postrouting-chain%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

6

Have a look at this diagram. The green boxes are for iptables, the blue are for ebtables (ignore those).

So you see that the OUTPUT chain is only traversed for packets produced by local applications, while the POSTROUTING chain is traversed by all packets, including those routed from somewhere else.

There are two subcases for network address translation (NAT): SNAT translates the source address of the packet, while DNAT translates the destination address of the packet.

You are restricted in which chains you can do either: nat/PREROUTING and nat/OUTPUT can do DNAT, while nat/POSTROUTING and possibly nat/INPUT (not sure if this still works) can do SNAT.

share|improve this answer

answered Nov 3 '17 at 11:32

dirktdirkt

18.3k33 gold badges1515 silver badges3939 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Can you explain how nat/OUTPUT allows to do DNAT? My understanding is that you DNAT incoming packages, and SNAT outcoming ones. And nat/OUTPUT processes the outcoming ones. Which means it allows to do SNAT. What am I missing here?
  
  – x-yuri
  Jun 27 at 18:38
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @x-yuri I can't explain the design choice of the kernel developers, and I've often been in a situation where I would have needed it the other way around (or just be able to DNAT and SNAT or any sort of rewriting everywhere). That said, packets incoming from a network interface are apparently treated the same way as packets "incoming" from an application to the kernel through the OUTPUT chain, hence both can do DNAT.
  
  – dirkt
  Jun 28 at 5:57
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Indeed, I can see here a brief mention that the OUTPUT chain can be used for DNAT. But what I don't understand is not the kernel developers' decision. According to the diagram you mentioned nat/OUTPUT comes after the reroute check. Which means you can't change the destination. Now that I think about it, that's probably a mistake. Or it may not reflect the current state of affairs.
  
  – x-yuri
  Jun 28 at 12:59
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  ...But if nat/OUTPUT is for DNAT, why would I need that? I can see a case where I'm behind a router, and the packets coming from the internet gets DNAT'ed on the router. But why would I need to DNAT packets coming from a local application?
  
  – x-yuri
  Jun 28 at 13:00
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Sorry, as I said, I can't explain the "why". If I had designed it, I'd have allowed rewriting in any way everywhere. I have no idea where those restrictions come from, or if they are even necessary.
  
  – dirkt
  Jun 28 at 15:59
  

  
  
  
  

add a comment | 

6

Have a look at this diagram. The green boxes are for iptables, the blue are for ebtables (ignore those).

So you see that the OUTPUT chain is only traversed for packets produced by local applications, while the POSTROUTING chain is traversed by all packets, including those routed from somewhere else.

There are two subcases for network address translation (NAT): SNAT translates the source address of the packet, while DNAT translates the destination address of the packet.

You are restricted in which chains you can do either: nat/PREROUTING and nat/OUTPUT can do DNAT, while nat/POSTROUTING and possibly nat/INPUT (not sure if this still works) can do SNAT.

share|improve this answer

answered Nov 3 '17 at 11:32

dirktdirkt

18.3k33 gold badges1515 silver badges3939 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Can you explain how nat/OUTPUT allows to do DNAT? My understanding is that you DNAT incoming packages, and SNAT outcoming ones. And nat/OUTPUT processes the outcoming ones. Which means it allows to do SNAT. What am I missing here?
  
  – x-yuri
  Jun 27 at 18:38
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @x-yuri I can't explain the design choice of the kernel developers, and I've often been in a situation where I would have needed it the other way around (or just be able to DNAT and SNAT or any sort of rewriting everywhere). That said, packets incoming from a network interface are apparently treated the same way as packets "incoming" from an application to the kernel through the OUTPUT chain, hence both can do DNAT.
  
  – dirkt
  Jun 28 at 5:57
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Indeed, I can see here a brief mention that the OUTPUT chain can be used for DNAT. But what I don't understand is not the kernel developers' decision. According to the diagram you mentioned nat/OUTPUT comes after the reroute check. Which means you can't change the destination. Now that I think about it, that's probably a mistake. Or it may not reflect the current state of affairs.
  
  – x-yuri
  Jun 28 at 12:59
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  ...But if nat/OUTPUT is for DNAT, why would I need that? I can see a case where I'm behind a router, and the packets coming from the internet gets DNAT'ed on the router. But why would I need to DNAT packets coming from a local application?
  
  – x-yuri
  Jun 28 at 13:00
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Sorry, as I said, I can't explain the "why". If I had designed it, I'd have allowed rewriting in any way everywhere. I have no idea where those restrictions come from, or if they are even necessary.
  
  – dirkt
  Jun 28 at 15:59
  

  
  
  
  

add a comment | 

Have a look at this diagram. The green boxes are for iptables, the blue are for ebtables (ignore those).

So you see that the OUTPUT chain is only traversed for packets produced by local applications, while the POSTROUTING chain is traversed by all packets, including those routed from somewhere else.

There are two subcases for network address translation (NAT): SNAT translates the source address of the packet, while DNAT translates the destination address of the packet.

You are restricted in which chains you can do either: nat/PREROUTING and nat/OUTPUT can do DNAT, while nat/POSTROUTING and possibly nat/INPUT (not sure if this still works) can do SNAT.

share|improve this answer

answered Nov 3 '17 at 11:32

dirktdirkt

18.3k33 gold badges1515 silver badges3939 bronze badges

share|improve this answer

answered Nov 3 '17 at 11:32

dirktdirkt

18.3k33 gold badges1515 silver badges3939 bronze badges

answered Nov 3 '17 at 11:32

dirktdirkt

18.3k33 gold badges1515 silver badges3939 bronze badges

answered Nov 3 '17 at 11:32

dirktdirkt

18.3k33 gold badges1515 silver badges3939 bronze badges

0

@ x-yuri
I was also confused about output NAT but finally I got the answer.
Prerouting & Postrouting NAT are both for external NAT when some packets are coming to your interface or going out of it and you wanna NAT the address. But OUTPUT NAT is for your local network NAT, I mean when the packets are starting from your application.
I think this is a good example to figure it out better.
When you wanna change the port and IP address of a traffic as a transparent proxy such as what we do in Nginx.
We can use something like this:

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 192.168.100.10:8080

you send traffic on port 80 to the other host on your network 192.168.100.10 which is listening on it's port 8080

I think it's the point
I hope it is true and what you were asking for

share|improve this answer

answered 45 mins ago

Vhaid KhorasaniVhaid Khorasani

1

New contributor

Vhaid Khorasani is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

0

@ x-yuri
I was also confused about output NAT but finally I got the answer.
Prerouting & Postrouting NAT are both for external NAT when some packets are coming to your interface or going out of it and you wanna NAT the address. But OUTPUT NAT is for your local network NAT, I mean when the packets are starting from your application.
I think this is a good example to figure it out better.
When you wanna change the port and IP address of a traffic as a transparent proxy such as what we do in Nginx.
We can use something like this:

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 192.168.100.10:8080

you send traffic on port 80 to the other host on your network 192.168.100.10 which is listening on it's port 8080

I think it's the point
I hope it is true and what you were asking for

share|improve this answer

answered 45 mins ago

Vhaid KhorasaniVhaid Khorasani

1

New contributor

Vhaid Khorasani is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

@ x-yuri
I was also confused about output NAT but finally I got the answer.
Prerouting & Postrouting NAT are both for external NAT when some packets are coming to your interface or going out of it and you wanna NAT the address. But OUTPUT NAT is for your local network NAT, I mean when the packets are starting from your application.
I think this is a good example to figure it out better.
When you wanna change the port and IP address of a traffic as a transparent proxy such as what we do in Nginx.
We can use something like this:

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 192.168.100.10:8080

you send traffic on port 80 to the other host on your network 192.168.100.10 which is listening on it's port 8080

I think it's the point
I hope it is true and what you were asking for

share|improve this answer

answered 45 mins ago

Vhaid KhorasaniVhaid Khorasani

1

New contributor

Vhaid Khorasani is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

answered 45 mins ago

Vhaid KhorasaniVhaid Khorasani

1

New contributor

Vhaid Khorasani is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 45 mins ago

Vhaid KhorasaniVhaid Khorasani

1

New contributor

Vhaid Khorasani is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 45 mins ago

Vhaid KhorasaniVhaid Khorasani

1