I have a basic understanding of the packet flow in iptables with the default chains (PREROUTING -> FORWARD or (INPUT -> OUTPUT) to POSTROUTING). However, I'm involving OpenVPN with it's virtual "tun" adapter interface. When a VPN client connects to the server, the packets are decapsulated and ran through the tun interface and directed outbound to the physical eth0. I have these set up in the FORWARD chain.

The question I have is: since the OUTPUT and FORWARD tables are essentially "parallel" in the routing path, how do the packets from the tun interface move about? Do they go to eth0 "starting point" again where as decapsulated traffic they pass through PREROUTING all over?

The real reason for all this is to determine how feasible it is for me to perform live-inspection of the traffic with an application on the same box. I'd like to redirect some of the decapsulated traffic to the app's port on the local machine for processing.

Thanks in advance for any help.