More on conntrack + NAT + mangle/nat tables

Lluís Batlle viriketo at
Wed Jul 6 12:20:49 CEST 2005

Oh, my fault. :) I mislooked at the diagram :) Everything is fine, so,
about nat + mangle tables.
So, I think conntrack NAT happens after the mangle POSTROUTING chain.
So, after routing.

Thanks :)

On 7/6/05, Jörg Harmuth <harmuth at> wrote:
> packet flow is:
> ... --> [mangle:POSTROUTING] --> [nat:POSTROUTING]
> So, all packets arrive in mangle:POSTROUTING with their source address
> unchanged. DNAT - if configured - is already applied to the packet.
> If I'm telling old stories now, forget it, but you can modify this
> script to fit your needs:
> Following the log (and /proc/net/ip_conntrack) you see the packet flow
> in detail. And you see when [S|D]NAT ist applied.

More information about the netfilter mailing list