iptables rationale questions

nworbnhoj · Post by **nworbnhoj** » Wed Sep 09, 2015 9:54 pm

I have learnt heaps about networking and linux while interacting with Gargoyle

and a long time ago I raised an unimportant and unanswered question that I am using as an exercise to learn some more stuff. http://www.gargoyle-router.com/phpbb/vi ... 464#p26165

Now I have not messed about with iptables in earnest before but I am having trouble getting my head around the rationale behind the use of various tables for various roles (ie bandwidth, quotas, qos, tor etc).

Omitting Chains that are not relevant to this question - I understand that a packet will pass thru:
nat PREROUTING
mangle INPUT
mangle OUTPUT
mangle POSTROUTING
nat POSTROUTING

OR

nat PREROUTING
mangle FORWARD
mangle POSTROUTING
nat POSTROUTING

My very high level summary of the (important) Gargoyle Tables and Chains .....

Code: Select all

nat PREROUTING
	delegate_prerouting
		prerouting_rule
		zone_lan_prerouting
			tor_client			
			
		
mangle INPUT        
	ingress_quotas  all  --	anywhere	anywhere	connmark match  0x0/0x8000
	combined_quotas all  -- anywhere	anywhere	connmark match  0x0/0x8000
	qos_ingress  	all  -- anywhere	anywhere           
	tor_down_bw  	tcp  -- anywhere	anywhere 
	
	  
mangle OUTPUT
	egress_quotas	all  --  anywhere	anywhere	connmark match  0x0/0x8000
	combined_quotas	all  --  anywhere	anywhere	connmark match  0x0/0x8000
	tor_up_bw		tcp  --  anywhere	anywhere  
					

Chain FORWARD
	forward_quotas  all  --  anywhere	anywhere
		egress_quotas  	all  --  anywhere 	anywhere	 connmark match  0x0/0x8000
		ingress_quotas  all  --  anywhere 	anywhere	 connmark match  0x0/0x8000
		CONNMARK   		all  --  anywhere 	anywhere	 connmark match  0x0/0x8000 CONNMARK or 0xf000000
		CONNMARK   		all  --  anywhere 	anywhere	 connmark match  0x0/0x8000 CONNMARK or 0xf000000
		combined_quotas	all  --  anywhere 	anywhere	 connmark match  0xf000000/0xf000000
		CONNMARK   		all  --  anywhere 	anywhere	 CONNMARK and 0xf0ffffff
	qos_ingress			all  --  anywhere	anywhere            
	mssfix				all  --  anywhere	anywhere   
	 
		
mangle POSTROUTING
	bw_egress		all  --  anywhere	anywhere            
	qos_egress  	all  --  anywhere	anywhere


nat POSTROUTING
	delegate_postrouting
		postrouting_rule		
			MASQUERADE

The following things do not make sense to me and I would appreciate any clarification (the explanation might be simply BECAUSE or HISTORY

)

Why does combined_quotas get called from both mangleINPUT and mangleOUTPUT?
Why call qos_ingress from both mangleINPUT and mangleFORWARD while qos_egress is called from manglePOSTROUTING?
More generally, why not consolidate all of the calls to Gargoyle Chains (ingress_quotas, combined_quotas, qos_ingress etc) into say manglePOSTROUTING? I do not appreciate why these Chains are called from where they are?
I have teased out what some of the connmatch bits are used for but is there doco or a comment somewhere that summarizes which bits represent what?

thanks