Detailed explanation of the execution sequence of Iptables rules in Linux

Article Title: detailed explanation of the execution sequence of Iptables rules in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

Prerequisites: iptable has three queue (table) Rules: mangle queue, filter queue, and nat queue.

1. The first is the mangle table which is responsible for the alteration of quality of service bits in the TCP header.

2. The second table is the filter queue which is responsible for packet filtering.

* Forward chain: Filters packets to servers protected by the firewall.

* Input chain: Filters packets destined for the firewall.

* Output chain: Filters packets originating from the firewall.

3. The third table is the nat queue which is responsible for network address translation. It has two built-in chains; these are:

* Pre-routing chain: NATs packets when the destination address of the packet needs to be changed.

* Post-routing chain: NATs packets when the source address of the packet needs to be changed

　　Personal summary:

When iptables executes a rule, it is executed from the top to bottom of the rule table. If no matching rule is met, it is executed one by one. If a matching rule is met, then the rule will be executed. After the rule is executed, the next execution will be decided based on the action (accept, reject, log, etc.) of the rule. There are generally three situations for subsequent execution.

1. One is to continue executing the next rule in the current rule queue. For example, after the LOG in the Filter queue is executed, the next rule in the Filter queue is also executed.

2. One is to stop the execution of the current rule queue and go to the next rule queue. For example, after the accept is executed, other rules in the Filter queue are interrupted and the rules are jumped to the nat queue for execution.

3. One is to abort the execution of all rule queues.

Iptables uses a rule stack for filtering. When a packet enters the NIC, it first checks Prerouting and then checks the destination IP to determine whether the packet needs to be transferred out, then, it will jump to INPUT or Forward for filtering. If the packet needs to be transferred for processing, it will check Postrouting. If it is from the local packet, it will check OUTPUT and Postrouting. If a rule is met during the process, the processing will be performed in addition to ACCEPT, REJECT, DROP, REDIRECT, and MASQUERADE, there are also more LOG, ULOG, DNAT, SNAT, MIRROR, QUEUE, RETURN, TOS, TTL, MARK, and so on, some of the processing actions will not interrupt the filtering program, some processing actions will interrupt the filtering of the same rule and continue filtering the next rule according to the preceding process (Note: This is different from ipchains ), until the rule check in the stack is complete. The advantage of this mechanism is that we can perform complex and multi-packet filtering. In short, iptables can be used to filter packets (tables) instead of chins ).

After the ACCEPT completes the processing, it will not compare other rules and directly jump to the next rule for refining (nat: postrouting ).

REJECT blocks the packet and sends the packet to notify the other party. You can choose to transfer the packet: ICMP port-unreachable, ICMP echo-reply, or tcp-reset (this packet will require the other party to disable online). After this action is completed, other rules will not be compared, directly interrupt the filter program. Example:

Iptables-a forward-p TCP -- dport 22-j REJECT -- reject-with tcp-reset

DROP discarded packets are not processed. After this operation, the filter program is directly interrupted instead of comparing other rules.

REDIRECT redirects the packet to another port (PNAT). After this action is completed, it will continue to compare with other rules. This function can be used to implement transparent porxy or to protect web servers. For example, iptables-t nat-a prerouting-p tcp -- dport 80-j REDIRECT -- to-ports 8080

MASQUERADE modifies the source IP address of the packet to the nic ip address of the firewall. You can specify the port range. After this operation is completed, it directly jumps to the next rule refining (mangle: postrouting ). This function is slightly different from SNAT. When you perform IP camouflage, you do not need to specify which IP address you want to disguise. The IP address will be directly read from the NIC. When you use a dial connection, the IP address is usually assigned by the DHCP server of the ISP company. In this case, MASQUERADE is particularly useful. Example:

Iptables-t nat-a postrouting-p TCP-j MASQUERADE -- to-ports 1024-31000

LOG records the packet-related information in/var/log. For detailed location information, see the/etc/syslog. conf configuration file. After this operation is completed, it will continue to compare with other rules. For example:

Iptables-a input-p tcp-j LOG -- log-prefix "INPUT packets"

SNAT modifies the source IP address of the packet to a specific IP address or IP address range. You can specify the port range. After this operation is completed, it will directly jump to the next rule refining (mangle: postrouting ). Example:

Iptables-t nat-a postrouting-p tcp-o eth0-j SNAT -- to-source 194.236.50.155-194.236.50.160: 1024-32000

DNAT rewrite the IP address of the packet destination to a specific IP address or IP address range. You can specify the port range. After this operation is completed, it will directly jump to the next rule (filter: input or filter: forward ). Example:

Iptables-t nat-a prerouting-p tcp-d 15.45.23.67 -- dport 80-j DNAT -- to-destination 192.168.1.1-192.168.1.10: 80-100

MIRROR package, that is, after the source IP address and the destination IP address are reversed, the package is sent back. After this operation, the filter program will be interrupted.

The QUEUE interrupt filtering program puts the packets into the QUEUE and submits them to other programs for processing. Other applications can be implemented through self-developed processing programs, such as computing online costs ...... .

The RETURN statement ends with the filtering program in the current rule refining process. It returns the master rule refining to continue filtering. If you think of custom rule refining as a sub-program, this action is performed, it is equivalent to early completion of the subroutine and return to the main program.

MARK marks a code on the package to provide a judgment basis for the filter conditions. After this processing, the MARK will continue to compare with other rules. Example:

Iptables-t mangle-a prerouting-p tcp -- dport 22-j MARK -- set-mark 2