Network -----------+----------- | +-------+------+ | mangle | | PREROUTING | <- MARK REWRITE +-------+------+ | +-------+------+ Policy rule database | PRDB | <- controlled by ip rule +-------+------+ | +-------+------+ | nat | | PREROUTING | <- DEST REWRITE +-------+------+ | packet is for +-------+------+ packet is for this address | INPUT | another address +--------------+ ROUTING +---------------+ | +--------------+ | +-------+------+ | | filter | | | INPUT | | +-------+------+ | | | +-------+------+ | | Local | | | Process | | +-------+------+ | | | +-------+------+ | | OUTPUT | +-------+-------+ | ROUTING | | filter | +-------+------+ | FORWARD | | +-------+-------+ +-------+------+ | | mangle | | | OUTPUT | MARK REWRITE | +-------+------+ | | | +-------+------+ | | nat | | | OUTPUT | DEST REWRITE | +-------+------+ | | | +-------+------+ | | filter | | | OUTPUT | | +-------+------+ | | | | | +----------------+ +--------------------+ | | | | +--+-------+---+ | | selection of the output interface, | FORWARDING | selection of the next hop, +-------+------+ encapsulation, etc. | | +-------+------+ | nat | | POSTROUTING | SOURCE REWRITE +-------+------+ | | +-------+------+ | TRAFFIC | | QUEUE | <- controlled by tc +-------+------+ | | -----------+----------- Network