Iptables practical tutorial (1): Basic Concepts and Principles, iptables practical tutorial
Overview
Iptables is a built-in firewall software for linux. It is used to configure IPv4 packet filtering or NAT (ip6tables for IPv6 ).
In linux, the firewall is actually part of the system kernel. Based on the Netfilter architecture, the basic principle is to place some hooks in different locations where data packets flow through the kernel network layer ), using these hooks embedded in the network layer to capture, control, or modify data, iptables is actually only the default netfilter control and management tool. Therefore, you cannot see a firewall process using ps or top, firewall cannot be uninstalled or shut down. You are familiar with "service iptables stop" or "/etc/init. the d/iptables stop command only clears all policies and tables, and changes the Default policy to ACCEPT (allowed.
Iptables has the following key concepts ::
Table):Iptables has four built-in tables. Different tables represent different functions. Each table can contain many chains. Different types of tables limit the use of the chain and target in the policy, some targets cannot be used in some tables. The user cannot customize the table;
Chain): The chain can contain a series of policies. Different chains can be configured to classify different policies. iptables has five built-in chains that correspond to five hooks of netfilter, you can also customize the chain;
Command): Command is the operation action on a table or chain, such as adding, deleting, and modifying;
Policy: Rules include matching rules and targets. iptables does not have this concept. I added it for convenience;
Rule-specification (matching rule): Defines the policies that apply to those data packets. matching rules can include protocols, source/destination addresses, ports, and so on;
Target)Target can be an action or a custom chain for operations on data packets matching the rules. common actions include DROP, ACCEPT, and NAT, when the target is a custom chain, the data packet enters the custom chain to continue matching;
Policy (Default policy): Default action of the built-in chain. Each chain can have only one policy. If the packet matches a chain and the last policy is not matched, the default action of the policy is used. The policy does not match the rule, and the target can only be DROP or ACCEPT. The custom chain cannot define the policy.
Table
The four iptables tables are:
Filter): Data packet filtering/interception, which can contain three built-in chains: INPUT, FORWARD, and OUTPUT.
Nat (address translation): IP address or port number conversion, which can contain three built-in chains: PREROUTING, OUTPUT, and POSTROUTING. nat table records the conversion relationship when the session is established, the packets in the same session and subsequent packets are automatically converted because nat uses the ip_conntrack module.
Mangle (package management): Used to modify IP packets. It can contain five built-in chains: PREROUTING, OUTPUT, INPUT, FORWARD, and POSTROUTING.
Raw: This table has a higher priority than the ip_conntrack module and other tables. It is mainly used to exclude packets with session state connections (such as tcp) from the session. It can contain two built-in chains: POSTROUTING and OUTPUT.
The question is, why can only table contain some instead of all chains? I think this architecture is designed on demand rather than by function. Although table does not contain all the chains, the tables of each function contain the chain needed to implement this function, even if it contains more chains, it is also cumbersome or useless, and actually it is enough.
In addition, the priority of different tables is as follows:
Raw> mangle> nat> filter
Therefore, if a filter disables ping to the destination address 2.2.2.2 and nat has a policy to convert the destination address 1.1.1.1 to 2.2.2.2, ping 1.1.1.1 fails.
However, in general, the filter does not work with the nat policy. For example, the INPUT chain can be used as a filter, but cannot be used as a nat. The PREROUTING can be used as a nat but not as a filter, in addition, PREROUTING can only be used for conversion of destination addresses, and does not cause any trouble for source address filtering. Therefore, PREROUTING usually does not interfere with each other.
Chain
Iptables has five built-in chains: PREROUTING, INPUT, OUPUT, FORWARD, and POSTROUGING. These five chains are respectively linked to five different locations in the data forwarding path of netfilter, filter different data streams by match, as shown in:
Where:
PREROUTINGLink: applies to all IP packets that enter the machine, including packets whose destination address is the local address and that are not the local address.
INPUTChain: applies to all packages for the local machine, that is, the destination IP address is the local interface address, and all data sent to the local socket passes through it.
OUPUTChain: applies to all packages generated by the local machine, and all data sent by the application passes through it.
FORWARDChain: applies to all packets forwarded by route decision, that is, the destination address is not the local data packet.
POSTROUGINGChain: applies to all IP packets sent from the machine, including packets sent from and forwarded from the machine.
Policy matching is performed in the order of re-to-down. When a policy is tested to match, the target is executed and jumps out. The policy does not match downward. When the last policy is not matched, the action specified by the policy is used, for example:
In addition to the built-in chain, you can also customize the chain. The custom chain does not use the netfilter hook to capture data packets, but it can be used for policy classification, for example, if there are three different types of users accessing different services on the host, if all the policies are put in the INPUT chain, there will be many policies and it will be difficult to maintain them. At this time, three custom chains can be defined, configure different policies respectively, and add policies to the INPUT chain to classify visitors and point the target to three custom chains.
A custom chain is designed to dynamically generate policies. For example, on a VPN Server, different groups of users need to be managed differently, but user IP addresses are randomly allocated, user groups cannot be distinguished based on IP addresses. At this time, the chain groups can be pre-defined, and some hooks of the VPN Server software can be used to automatically add policies to guide the user to the custom chain for matching when the user logs on. If there is no custom chain at this time, the number of policies will be (number of users × number of group policies). Each additional user must add all the policies of the group, such a large amount of time is spent on policy matching, and the performance decreases rapidly.
Command
Commands are used to operate tables and chains. You can perform these operations:
- Clears all chains contained in a table.
- Create, rename, or delete a custom chain, clear a built-in chain, or set a policy for the built-in chain (Default policy)
- Append, delete, and modify a policy in a chain
- Display Policy
Since this article only describes concepts and principles, we will not mention commands for the moment. The detailed usage will be described in other articles.
Address: http://www.cnblogs.com/foxgab/p/6896957.html
If you think this article is helpful to you, scan the QR code to give a donation. Your support is the motivation for the author to continue writing better articles!