How the Iptables firewall works

How the Iptables firewall works

Introduction: Iptables firewall works at the network layer, filtering and restricting TCP/IP packets, iptables firewall based on kernel coding, with very stable performance and high efficiency;

Iptables belongs to "User State" firewall management system.

Rules table

Filter Table: The filter table is used to filter packets, according to the specific rules to decide how to process a packet. Corresponding kernel module: Iptable_fileter. A total of three chains are included.

Nat table: NAT (network address translation) table is primarily used to modify information such as packet IP address, port number, and so on. The corresponding kernel module is Iptable_nat, which contains three chains.

Mangle table: The mangle table is used to modify the packet's TOS (Type of service, type of services), TTL (Time to Live, lifetime) value, or set the mark tag for the packet for advanced applications such as traffic shaping, policy routing, and so on. The corresponding kernel module is Iptable_mangle, which contains five chains.

Raw TABLE: Raw represents a new table from the 1.2.9 later version of Iptables, primarily to determine whether the packet is being tracked for status. the corresponding kernel module is Iptable_raw, which contains two chains.

Rule chain

Input chain: Apply the rules in this chain when you receive a packet (inbound) that accesses the native address of the firewall.

Output chain: Applies the rules in this chain when the firewall sends packets outward (outbound) natively.

Forward chain: When receiving packets (forwards) that need to be forwarded through the firewall to other addresses, apply the rules in the chain of measurement.

Prerouting chain: Apply the rules in the chain of measurement before routing the packet.

Postrouting chain: After routing the packet, apply the rules in the chain.

Brief description: The Input,output chain is mainly used in "host Firewall". That is, mainly for the server to wake up the protection of the firewall, and forward,prerouting,postrouting chain is used in "network firewall", such as the use of Linux firewall as a gateway server between the company and Inetnet security control.

Packet filtering workflow

Rule Table Application Priority: Raw→mangle→nat→filter

The order in which the rules are applied: the filter within the chain follows the principle of "match-and-stop", and if the entire chain is not found and the packet matches the rules, it will be processed according to the default policy of the chain.

Inbound Data Flow : The packet arrives at the firewall first by the prerouting chain (whether to modify the packet address, etc.), and then routing (to determine where the packet is sent), If the destination address of the packet is a firewall native (such as the Web service port of the Internet User Access Gateway), then the kernel passes it to the input chain for processing (deciding whether to allow the pass, etc.).

Forwarding Data Flow : From outside the packet arrives the firewall first is preroutting chain processing, then carries on the route choice, if the packet destination address is other external address (for example, the LAN user accesses the QQ server through the gateway), The kernel passes it to the forward chain for processing (allowing forwarding, blocking, discarding), and finally handing it over to the postrouting chain (whether to modify the address of the packet).

Outbound Data Flow : The firewall native to the external address sent packets (such as in the firewall host to test the public DNS service), first by the output chain processing, and then routing, and then to the postrouting chain (whether to modify the address of the packet) for processing.

Command combat

Grammar:

iptables [-t table name] management options [link name] [match condition] [-j control type]

The filter table is used by default when table names are not specified.

Control type:

Accept: Allow packets to pass.

Drop: Discards the packet directly and does not give any response information.

REJECT: Deny Packet pass, will give the data send the end a response information.

Refuse to send packets to the native using ICMP protocol: iptable-t filter-i input-p icmp-j REJECT

• -a adds a new rule at the end of the specified chain (--append)
• -D Deletes (--delete) a rule in the specified chain, specifying the required or specific content of the rule.
• -I inserts in the specified chain (--insert)-The new rule, which defaults to the first rule when no ordinal is specified.
• -R modifies, replaces (--replace) a rule in a specified chain, specifying the sequence number or specific content.
• -L lists all the rules in the specified chain (--list), and clears all the chains in the table if no chain name is specified.
• -P Sets the default policy (--policy) for the specified chain.
• -N uses digital form (--numeric) to display output results, such as displaying an IP address instead of a host name
• -V displays detailed (--verbose) information when you view the list of rules.
• -line-numbers When you view the list of rules, the sequence number of the rule in the chain is also displayed.

How the Iptables firewall works