What is the difference between OUTPUT and FORWARD chains in iptables?
OUTPUT is for packets that are emitted by the host. Their destination is usually another host, but can be the same host via the loopback interface, so not all packets that go through OUTPUT are in fact outgoing.
FORWARD is for packets that are neither emitted by the host nor directed to the host. They are the packets that the host is merely routing.
When you start digging into packet mangling and NAT, the full story is rather more complex.
To my understanding:
INPUT: dst IP is on the host, even it has multiple port with multiple subnet
OUTPUT: src IP is from the host, either port
FORWARD: Neither dst IP on the host nor src IP from the host
For example, to router A
INPUT is:
192.168.10.1 -> 192.168.10.199
192.168.10.1 -> 192.168.2.1
OUTPUT is:
192.168.10.199 -> x.x.x.x
192.168.2.1 -> x.x.x.x
FORWARD is:
192.168.10.1 -> 192.168.2.199
192.168.10.1 -> 192.168.8.1
192.168.10.1 -> 192.168.8.199