Shulou(Shulou.com)06/01 Report--

/ located at / sbin/iptables

Four watches and five chains

Four tables filter. Nat. Mangle. Raw

Five-strand INPUT. FORWARD. OUTPUT. PREROUTING. POSTROUTING

Processing priority of the table raw > mangle > nat > filter

Filter: perform all filtering actions

Nat: (Port mapping, address translation), all network address translation is performed on nat

Mangle: for packet modification

Raw: accelerate the speed of packets passing through the firewall, which can improve the performance of the firewall

The role of five chains

INPUT: processes inbound packets, destined for the local machine after passing through the routing table

OUTPUT: generated by this level and forwarded to the outside

FORWARD: after passing the routing table, the destination is not local

PREROUTING: before the packet enters the routing table

POSTROUTING: processes packets before routing, and before packets enter the routing table

Matching order between rule chains

Inbound data: PREROUTING > INPUT

Outbound data: OUTPUT > POSTROUTING

Forwarding data: PREROOUTING > FORWARD > POSTROUTING

1. When the destination address of the packet is local

(1) packets enter the network interface

(2) enter the prerouting chain of the NAT table and do DNAT as needed

(3) enter the prerouting chain of the mangle table, where the contents of the packet header (such as TTL value) are changed as needed.

(4) enter route judgment, (enter locally or forward)

(5) enter the INPUT chain of the mangle table, and modify the contents of the packet header before reaching the local program after routing.

(6) enter the INPUT chain of the filter table, where all packets whose destination address is local will pass.

(7) arrive at native application processing

two。 When the source address of the packet is local,

(1) Native applications generate data packets

(2) routing judgment

(3) enter the OUTPUT chain of the mangle table, where you can change the header content as needed.

(4) enter the OUTPUT chain of the nat table and DNAT the data generated by the firewall as needed.

(5) enter the OUTPUT chain of the filter table, where you can set the filtering conditions of the packet

(6) enter the PREROUTING chain of the mangle table, and here you mainly do the DNAT action.

(7) enter the PREROUTING chain of the NAT table, and here you mainly do the DNAT action.

(8) leave the machine

3. Packets forwarded by this machine (source and destination addresses are not local)

(1) packets enter the network interface

(2) the PREROUTING chain of the mangle table, where you can change the packet content (TTL value) as needed.

(3) FORWARD chain in nat table. You can DNAT packets as needed.

(4) the FORWARD chain of the mangle table, where the packet header content is modified

(5) the FORWARD chain of the filter table. The packets to be forwarded will come here.

(6) PREROUTING chain of mangle table

(7) the POSTROUTING chain of the nat table. Here, SNAT the packet as needed.

(8) leave the network interface

Actions of Iptables tables and chains

The filter table is mainly used to filter and ACCEPT DROP REJECT LOG RETURN data packets.

The filter table contains:

INPUT chain that filters all packets whose destination address is native

FORWARD chain, filtering packets forwarded locally

OUTPUT chain, filtering packets generated by the machine

NAT table is mainly used for network address translation.

(1) DNAT, mainly used to change the destination address of a packet so that the packet can be rerouted to a host

(2) SNAT, change the source address of the packet and convert the source address to the public network address

The NAT table contains three chains

(1) PREROUTING chain, which changes the destination address when the packet reaches the firewall

(2) OUTPUT chain, which can change the destination address of the packet.

(3) POSTROUTING, which changes the source address of a packet when it leaves the firewall

MANGLE table

The mangle table is mainly used to modify the packet, and the mangle table can be changed (TTL), etc.

The mangle table mainly consists of five chains

PREROUTING, (2) POSTROUTING, (3) OUTPUT, (4) INPUT, (5) FORWARD,

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.