Home

PREROUTING

PREROUTING is a built-in chain in the Netfilter framework that processes incoming packets before a routing decision is made. It exists in multiple tables (raw, nat, and mangle) and is not part of the standard filter table’s INPUT/FORWARD chains. Packets traverse PREROUTING immediately upon arrival, then the kernel determines whether they are destined for the local host or should be forwarded.

The main purpose of PREROUTING is to inspect or modify packets before routing. In the nat table,

Common uses include implementing port forwarding and address translation for inbound traffic, performing early packet marking,

In practice, PREROUTING is a foundational tool for network address translation and early packet processing. While

PREROUTING
is
commonly
used
for
destination
NAT
(DNAT),
enabling
inbound
traffic
to
be
redirected
to
a
different
IP
address
or
port.
In
the
mangle
table,
rules
in
PREROUTING
can
alter
packet
headers
for
quality
of
service
or
other
routing
decisions.
The
raw
table
also
provides
a
PREROUTING
chain,
which
can
be
used
for
early
processing,
such
as
exempting
packets
from
connection
tracking
with
NOTRACK
targets.
and
configuring
policy
routing
or
other
pre-routing
decisions.
Because
PREROUTING
runs
before
the
routing
decision,
its
rules
must
be
crafted
carefully
to
avoid
unintended
redirection
or
loops.
Rules
in
this
chain
are
evaluated
in
order
and
can
affect
how
packets
are
handled
by
subsequent
chains,
such
as
INPUT,
FORWARD,
or
OUTPUT.
its
concrete
rules
are
table-specific
(nat,
mangle,
raw),
the
overarching
concept
remains
consistent
across
Linux
networking.
In
nftables,
similar
functionality
is
achieved
through
equivalent
pre-routing
hooks
and
expressions
with
a
different
syntax.