Firewall iptables Analysis
Firewall iptables Analysis
I. Basic concepts of iptables
Match: meets the specified conditions, such as the specified IP address and port.
Drop: When a packet arrives, it is simply discarded without any other processing.
Accept (accept): opposite to discard, accept this package, let this package pass.
Reject: similar to discard, but it also sends an error message to the source host that sent the package. This error message can be specified or automatically generated.
Target: a specified action that describes how to process a package, such as discard, accept, or reject.
Jump: similar to the target, but it does not specify a specific action, but another chain, indicating to jump to that chain.
Rule: one or more matches and their corresponding targets.
Chain: each chain contains a series of rules that are applied to each packet that traverses the chain in sequence. Each chain has its own special purpose, which will be discussed in detail below.
Table: Each table package contains several different chains. For example, a filter table contains three chains by default: INPUT, FORWARD, and OUTPUT. Iptables has four tables: raw, nat, mangle, and filter. Each table has its own special functions. For example, the most common filter table is used for packet filtering, the nat table is used for NAT.
Police: the policy we mentioned here refers to the default processing action of a chain in iptables when all rules fail to match.
Connection track, also known as dynamic filtering, can be used to filter connections according to the specified status. It is a powerful function, but also consumes memory resources.
Ii. iptables data packet process
Figure 1 packet passing through iptables
Figure 1 shows the basic process of packet passing through iptables. The packet processing process can be divided into three types.
For more iptables tutorials, see the following:
Disable the default firewall in CentOS 7.0 and enable the iptables firewall.
Iptables examples
Linux Firewall iptables
Basic use of iptables backup, recovery, and firewall scripts
Detailed description of firewall iptables usage rules in Linux
Iptables firewall settings in Linux
1) packets destined for the Local Machine
When a packet uses the local address as the destination address, the iptables process is as follows:
1. data packet from network to network card
2. After the network adapter receives the data packet, it enters the PREROUTING chain of the raw table. The function of this chain is to process packets before Connection Tracing, and to set a connection not to be tracked by the connection. (Note: Do not add other rules to the raw table)
3. If Connection Tracing is set, it will be processed on this connection.
4. After raw processing, enter the PREROUTING chain of the mangle table. This chain is mainly used to modify the TOS and TTL of a message and set a special MARK for the message. (Note: Generally, the mangle table focuses on setting MARK for packets. In this table, do not filter, NAT, or disguise messages)
5. Enter the PREROUTING chain of the nat table. This chain is mainly used to process DNAT and should avoid filtering in this chain. Otherwise, some packets may be missed. (Note: It is only used to convert source/destination addresses)
6. Entering the route determines the processing of data packets. For example, you can determine whether the message is forwarded locally or elsewhere. (Note: here we assume that the packet is sent to the local machine for processing)
7. Enter the INPUT chain of the mangle table. We can modify the packets after routing before actually sending the packets to the local machine.
8. Enter the INPUT chain of the filter table. Here, we filter all packets sent to the local machine. Note that all received packets whose destination address is the local machine will pass through this chain, no matter which interface comes in or where it goes.
9. After rule filtering, packets are processed by local processes or applications, such as servers or client programs.
2) the local host sends messages
When a data packet is sent by the local machine, it goes through iptables:
1. Local processes or applications (such as servers or client programs) send data packets.
2. route selection, which source address to use, and which interface to use. Of course, there are other necessary information.
3. Enter the OUTPUT chain of the raw table. Here is the point where packets can be pre-processed before the Connection Tracing takes effect. Here, we can mark a connection not being tracked by the connection.
4. Connection Tracing processes local data packets.
5. Enter the OUTPUT chain of the mangle table. Here we can modify data packets, but do not filter (to avoid side effects ).
6. Enter the OUTPUT chain of the nat table and perform the NAT (DNAT) operation on the data sent by the firewall ).
7. Enter the OUTPUT chain of the filter table to filter the local data packets.
8. Make another route decision, because the previous mangle and nat tables may modify the routing information of packets.
9. Enter the POSTROUTING chain of the mangle table. This chain may be traversed by two types of packets. One is the forwarded packets and the other is the packets generated by the local machine.
10. Enter the POSTROUTING chain of the nat table. We recommend that you do not filter packets here because of the side effects. Even if you set the Default policy, some packets may slip away.
11. Enter the outbound network interface.
3) forward packets
The packet forwarding process goes through iptables:
1. data packet from network to network card
2. After the network adapter receives the data packet, it enters the PREROUTING chain of the raw table. The function of this chain is to process packets before Connection Tracing, and to set a connection not to be tracked by the connection. (Note: Do not add other rules to the raw table)
3. If Connection Tracing is set, it will be processed on this connection.
4. After raw processing, enter the PREROUTING chain of the mangle table. This chain is mainly used to modify the TOS and TTL of a message and set a special MARK for the message. (Note: Generally, the mangle table focuses on setting MARK for packets. In this table, do not filter, NAT, or disguise messages)
5. Enter the PREROUTING chain of the nat table. This chain is mainly used to process DNAT and should avoid filtering in this chain. Otherwise, some packets may be missed. (Note: It is only used to convert source/destination addresses)
6. Entering the route determines the processing of data packets. For example, you can determine whether the message is forwarded locally or elsewhere. (Note: The packet is forwarded here)
7. Enter the FORWARD chain of the mangle table. This is also special. After the first route decision, we can still make some modifications to the data packet before making the final route decision.
8. Enter the FORWARD chain of the filter table. Here we can filter all forwarded packets. It should be noted that the packets forwarded here are bidirectional.
9. Enter the POSTROUTING chain of the mangle table. All route decisions have been completed here, but the data packets are still on the local host. We can make some modifications.
10. Enter the POSTROUTING chain of the nat table, which is generally used for SNAT. Do not filter it here.
11. Enter the outbound network interface.
For more details, please continue to read the highlights on the next page: