What is the difference between OUTPUT and FORWARD chains in iptables?

OUTPUT is for packets that are emitted by the host. Their destination is usually another host, but can be the same host via the loopback interface, so not all packets that go through OUTPUT are in fact outgoing.

FORWARD is for packets that are neither emitted by the host nor directed to the host. They are the packets that the host is merely routing.

When you start digging into packet mangling and NAT, the full story is rather more complex.

To my understanding:

INPUT: dst IP is on the host, even it has multiple port with multiple subnet

OUTPUT: src IP is from the host, either port

FORWARD: Neither dst IP on the host nor src IP from the host

enter image description here

For example, to router A

INPUT is:

192.168.10.1 -> 192.168.10.199

192.168.10.1 -> 192.168.2.1

OUTPUT is:

192.168.10.199 -> x.x.x.x

192.168.2.1 -> x.x.x.x

FORWARD is:

192.168.10.1 -> 192.168.2.199

192.168.10.1 -> 192.168.8.1

192.168.10.1 -> 192.168.8.199

What is the difference between OUTPUT and FORWARD chains in iptables?

Tags:

Linux

Iptables

Related

Recent Posts