A couple of iptables questions

Discussion in 'Tomato Firmware' started by Bird333, May 27, 2014.

  1. Bird333

    Bird333 Network Guru Member

    1. Does network traffic pass through the PREROUTING chain even for packets that are in the same subnet?

    2. And a related question I asked in another thread. Reading through the "specific port openvpn" thread (http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/) I noticed that multiple PREROUTING rules are being used. I thought iptables worked by the first rule that the packet matches gets selected. It seems that 'iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1' should match all traffic on the LAN and not go to the other rules. Does the PREROUTING chain not work that way? If not, how does it work?
  2. mstombs

    mstombs Network Guru Member

    You need to do your own testing for definitive answer on specific firmware/kernel/drivers but AFAIK:-

    1. No, the Broadcom switch driver will pass on LAN-LAN traffic on same subnet effectively in hardware not troubling the OS. Wifi to LAN gets as far as the Linux bridging, but still bypasses IPTables configured kernel netfilter rules. Even WAN to LAN nat traffic bypasses the Linux kernel when CTF enabled.

    2. MARK target does not appear to be a chain break, you must add same test and "-j RETURN" in subsequent rules if you don't want further processing.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice