Shulou(Shulou.com)06/01 Report--

This article mainly introduces "Linux iptables basic knowledge and rule principle explanation". In daily operation, I believe that many people have doubts about Linux iptables basic knowledge and rule principle explanation. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts of "Linux iptables basic knowledge and rule principle explanation". Next, please follow the editor to study!

What is iptables?

Iptables is a powerful application layer firewall tool under Linux, but after understanding its rule principle and foundation, it is also very easy to configure.

What is Netfilter?

When it comes to iptables, it must be mentioned that Netfilter,iptables is an application layer, which is essentially a configuration tool that defines rules, and the core packet interception and forwarding is Netfiler.

Netfilter is a packet processing module within the core layer of the Linux operating system.

Iptables and Netfilter diagrams:

As you can see in this figure, Netfilter acts on the network layer, and packets pass through the five mount points (Hook point) of Netfilter: PRE_ROUTING, INPUT, OUTPUT, FORWARD, POST_ROUTING.

Any data packet, as long as it passes through the local machine, will pass through one of these five mount points.

Principle of iptables rule

The rule composition of iptables, also known as four tables and five chains:

Four tables + five mount points + rules

Four tables: filter, nat, mangle, raw

Five mount points: PRE_ROUTING, INPUT, OUTPUT, FORWARD, POST_ROUTING

Specifically, every iptables rule such as allow / deny or forward must select a mount point and associate a table.

The rule represents the specific operation of the packet, the mount point represents the location of the operation, and the table represents the purpose of the function.

Four tables of iptables

The most frequently used watches are the first two:

1. Filter is used for filtering

2. Nat is used for address translation

3. Mangle modifies the packet

4. Raw is generally designed to stop iptables from doing link tracking of data packets, skip other tables and improve performance

Flow chart of packet matching in rule table and mount point

The following figure is a flowchart of packets passing through the mount point, where you can see which tables can be used to define rules:

Generally speaking, filter tables can only be done on three chains: INPUT, FORWARD, and OUTPUT.

Generally speaking, nat tables can only be done on three chains: PREROUTING, OUTPUT, and POSTROUTING.

At this point, the study of "explaining the basic knowledge and principles of iptables of Linux" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.