Join Log in
Score:0
average_coder25 avatar Server

Flushing IP table doesn’t flush NAT

kr flag
average_coder25

When I execute sudo iptables -F,my iptable rules for the nat table are not flushed. Why is this the case? What does the above command do?

I believe there are three tables: filter, nat, and mangle. I don’t think any of these tables are affected by sudo iptables -F. Is this correct?

74
2 + 0
nat
ip
Score:2
avatar Server
ma flag
John

As the manual states, all iptables commands work on a specific table.

When you omit the optional -t TABLE flag the iptables -F command will only work on the default table, the filter table.

Tables

There are currently three independent tables (which tables are present at any time depends on the kernel configuration options and which modules are present).

-t, --table table
This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading, an attempt will be made to load the appropriate module for that table if it is not already there.

The tables are as follows:

filter:
This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).
nat:
This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out).
mangle: This table is used for specialized packet alteration.
Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing).
Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).
raw: This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables.
It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)

0 + 1
average_coder25 avatar
kr flag
average_coder25
Thank you for this explanation!
0
Reply
Score:1
avatar Server
fr flag
Tomek

I believe you need to add -t <table_name> option to flush nat and mangle tables.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.