Principle of firewall iptables in Linux)

Iptables Introduction

Netfilter/iptables (iptables for short) is a packet filtering firewall on the Linux platform. Like most Linux software, this packet filtering firewall is free of charge, it can replace expensive commercial firewall solutions to implement functions such as packet filtering, packet redirection, and network address translation (NAT.

Iptables Basics

A rule (rules) is actually a predefined condition of the network administrator. The rule is generally defined as "if the data packet header meets this condition, it will process this packet ". Rules are stored in the information packet filtering table of the kernel space. These rules specify the source address, destination address, and transmission protocol (such as TCP, UDP, and ICMP) and service types (such as HTTP, FTP, and SMTP. When a packet matches a rule, iptables processes the packet according to the rule-defined method, such as accept, reject, and drop. The main task of configuring a firewall is to add, modify, and delete these rules.

Relationship between iptables and netfilter:

This is the first thing to talk about. The relationship between iptables and netfilter is very confusing. Many users know iptables but do not know netfilter. In fact, iptables is only a management tool for Linux firewall, which is located in/sbin/iptables. Netfilter is the internal structure of the Linux kernel that implements packet filtering.

Iptables packet transmission process

① When a packet enters the NIC, it first enters the prerouting chain, and the kernel determines whether to forward the packet based on the destination IP address.
② If the data packet enters the local machine, it will move down the graph and reach the input chain. After the packet arrives at the input chain, any process will receive it. Running on the local machineProgramData packets can be sent. These packets pass through the output chain and then reach the postrouting chain output.
③ If the packet is to be forwarded and the kernel allows forwarding, the packet will move to the right, go through the forward chain, and then reach the postrouting chain output.

Rules table and chain of iptables:

Table (tables) provides specific functions. iptables has four built-in tables: Filter table, NAT table, mangle table, and raw table, which are used for packet filtering respectively, network Address Translation, packet reconstruction (modification), and data tracking.

A chain is the path for packet propagation. Each chain is actually a check list among many rules. Each chain can have one or several rules. When a packet arrives at a chain, iptables checks the first rule in the chain to check whether the packet meets the conditions defined by the rule. If yes, the system will process the packet according to the method defined by the rule; otherwise, iptables will continue to check the next rule. If the packet does not comply with any rule in the chain, iptables processes data packets according to the predefined default policy of the chain.

Iptables uses the hierarchical structure of "table" and "chain. In rehl4, there are three tables and five chains. Now rehl5 has become five links for four tables, but the extra table is not used much, so it is basically the same as before. The following lists the four tables and five chains. Be sure to understand the relationships and functions of these tables and links.

Rule table:

1. Filter table -- three chains: input, forward, and output
Purpose: filter data packets. kernel module: iptables_filter.
2. NAT table-Three Links: prerouting, postrouting, and output
Role: used for network address translation (IP address, Port) kernel module: iptable_nat
3. mangle table-Five Links: prerouting, postrouting, input, output, and forward
Purpose: Modify the service type and TTL of data packets, and configure routes to implement QoS kernel module: iptable_mangle (although this table is so troublesome, We will hardly use it when setting policies)
4. Raw table -- two links: Output and prerouting
Function: determines whether a data packet is processed by the status tracking mechanism. kernel module: iptable_raw
(This is not available in rehl4, but you don't have to worry about it. It's not used much)

Rule chain:

1. Input -- apply the policy in the Rule chain to incoming packets
2. Output -- apply the rule in the Rule chain to outgoing packets
3. forward -- apply the rule in this rule chain when forwarding data packets
4. prerouting -- apply the rules in this chain before routing data packets.
(Remember! All data packets are first processed by this chain when they come in)
5. postrouting -- apply the rules in this chain after the packet is selected as a route
(All data packets are first processed by this chain)

Priority between Rule tables:

Raw -- mangle -- Nat -- Filter
Priority between Rule chains (in three cases ):

First case: Inbound Data Flow

Packets that arrive at the firewall from the outside world are first processed by the prerouting rule chain (whether to modify the packet address or not), and then route selection (to determine where the packet should be sent ), if the destination host of the data packet is the firewall host (for example, the data packet from the web server in the firewall host accessed by Internet users), the kernel sends the data packet to the input chain for processing (determines whether the data packet is allowed to pass ), the application (such as the Apache server) at the upper layer of the system will be handed over for response later.

Second condition: forwarding data flow direction

After packets from outside the firewall arrive, they are first processed by the prerouting rule chain, and then the routing is selected, if the destination address of a data packet is another external address (for example, a LAN User accesses a data packet from the QQ site through a gateway), the kernel will pass it to the forward chain for processing (whether to forward or intercept it ), then it is handed over to the postrouting rule chain (whether to modify the packet address, etc.) for processing.

Case 3: outbound data flow
Data packets sent from the firewall host to external addresses (for example, when the firewall host tests the public network DNS server) are first processed by the output rule chain, and then the route is selected, then it is passed to the postrouting rule chain (whether to modify the packet address, etc.) for processing.

Manage and set iptables rules

ArticleReference

http://netfilter.org/iptables official website
http://www.linux.gov.cn/netweb/iptables.htm iptables configuration manual
http://man.chinaunix.net/
http://man.chinaunix.net/network/iptables-tutorial-cn-1.1.19.html iptables configuration manual
http://blog.csdn.net/thmono/archive/2010/04/08/5462043.aspx
http://netsecurity.51cto.com/art/200512/14457.htm
http://blog.sina.com.cn/s/blog_40ba724c0100jz12.html