Four tables and five chains of iptables 03/15 Update SLTechnology News&Howtos

Four tables and five chains of iptables

2025-03-15 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

The netfilter/iptables IP packet filtering system is a powerful tool for adding, editing, and removing rules that firewalls follow and form when making packet filtering decisions. These rules are stored in dedicated packet filtering tables, which are integrated in the Linux kernel. In the packet filtering table, rules are grouped in what we call a chain.

Although the netfilter/iptables IP packet filtering system is called a single entity, it actually consists of two components, netfilter and iptables.

The netfilter component, also known as kernel space (kernelspace), is part of the kernel and consists of packet filtering tables that contain the set of rules that the kernel uses to control packet filtering.

The iptables component is a tool, also known as userspace, that makes it easy to insert, modify, and remove rules from packet filtering tables.

Iptables contains 4 tables and 5 chains. The table is distinguished according to the operation of the packet, the chain is distinguished according to different Hook points, and the table and the chain are actually the two dimensions of netfilter.

4 tables: filter,nat,mangle,raw, the default table is filter (filter table when no table is specified). The processing priority of the table is raw > mangle > nat > filter.

Filter: general filtering function

Nat: for nat functions (port mapping, address mapping, etc.)

Mangle: used to modify specific packets

Raw: limited level is the highest. When setting raw, it is generally to stop iptables from doing link tracking of data packets and improve performance.

5 chains: PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING.

PREROUTING: before the packet enters the routing table

INPUT: after passing the routing table, the destination is the local machine

FORWARDING: after passing the routing table, the destination is not local

OUTPUT: generated by this machine and forwarded to the outside

POSTROUTIONG: before sending to the Nic interface.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.