How iptables works

The functions of netfilter and iptables, often known as iptables, are composed of netfilter and iptables. Netfilter runs in the kernel space (see the glossary). It is a group of tables that store a series of rules. The Kernel uses these rules to control network grouping filtering. Iptables runs in the user space. it is used to set, maintain, and display netfil.

Netfilter andIptablesIt is often calledIptablesIs composed of two parts: netfilter and iptables. Netfilter runs in the kernel space (see the glossary). It is a group of tables that store a series of rules. The Kernel uses these rules to control network grouping filtering. Iptables runs in the user space. it is used to set, maintain, and display the rules saved by netfilter.

Rules, matches, targets, and rule chain rules are composed of one or more conditions (matching or classifier) and one action (target. If the group matches all conditions (when a rule is applied to a network group), this action is applied to the group. Rules are stored in the rule chain. Apply each rule in the chain to the group in sequence until a match is found. If no match exists, apply the rule chain policy (or default action) to the group.

In the kernel, iptables replaces the previous ipchains as a method for filtering network groups, and provides multiple rule chains, enhancing the flexibility of filtering. The utility iptables also provides stateful grouping filtering.

In order to describe how the rule works, we assume that there are two rules in the rule chain (-10 ). The first rule tests whether the target port of the group is 23 (FTP). If yes, discard it. The second rule tests whether the group comes from the IP address 192.168.1.1. If yes, modify the destination address of the group. When the rule chain in this example is used to process a group, the kernel applies the first rule in the chain and checks whether the destination port of the group is 23. If the answer is yes, the group will be discarded, and the processing process of the group ends here. If the answer is no, the second rule in the kernel application rule chain checks whether the group comes from the specified IP address. If yes, modify the destination address in the group header and the modified group will be sent to the network. If not, the group is directly sent to the network without any modification.

Rule links are collected and stored in three tables: Filter, NAT, and Mangle. Each table has a built-in rule chain (as described below ). You can create additional and user-defined rule chains in the Filter table (default table.

()-10 examples of how rules work in a chain Filter table default table. This table is often used to discard (DROP) or ACCEPT (ACCEPT) groups based on the group content. it does not modify the group. The built-in rule chains are INPUT, FORWARD, and OUTPUT. All user-defined rule chains are stored in this table.

NAT table NAT (NetworkAddressTranslation, network address translation) table. The newly connected group is routed through this table. This table is used to convert the source or destination address fields of the group. The built-in rule chains include PREROUTING, OUTPUT, and POSTROUTING. It can only be used with the target DNAT, SNAT, and MASQUERADE.

DNAT (destination address NAT) modifies the destination IP address of the first inbound group connected to, so that it can be re-routed to another host. Subsequent groups in this connection will automatically accept the DNAT conversion. It is used to redirect packets destined for firewalls or servers and from the Internet.

SNAT (source address NAT) modifies the source IP address of the first outbound group in the connection, so that it looks from a fixed IP address (such as the firewall address or router address ). Subsequent groups in the connection will automatically accept SNAT conversion. The response groups of SNAT groups are automatically converted to reverse SNAT groups, so that these response groups can return to the original senders. SNAT is used to hide LAN addresses and prevent systems outside the LAN from seeing them. a single IP address is used to provide services for multiple local hosts.

MASQUERADE is similar to SNAT. The only difference is that it checks the IP addresses applied to each outbound group, which makes it suitable for dynamic IP addresses, such as IP addresses provided by DHCP. The speed of MASQUERADE is a little slower than that of SNAT.

The Mangle table is used to modify the TOS (service type), TTL (TTL), and MARK Fields in the group. The built-in rule chains include PREROUTING and OUTPUT.

When a group on the network enters the network protocol stack of the kernel, it will undergo some basic sound tests, including "checksum check ". After these tests, the group will enter the PREROUTING chain. during this process, its destination address may be modified (-11 ).

Next, the route Group is based on the target address of the group. If it is found to be a group sent to the local system, it will first enter the INPUT chain. in this process, it may be filtered (accepted, discarded, or sent to another rule chain) or modified. If the group is not sent to the local system (the local system is used to FORWARD the group), it will enter the FORWARD and POSTROUTING chains. in this process, it may be filtered or modified again.

Locally created groups are uploaded to the OUTPUT and POSTROUTING chains, which may be filtered or modified before being sent to the network.

()-11 grouping filtering in kernel The state connection tracing state machine (sometimes called the state machine) provides status information about the group and can be used to define rules. these rules match conditions based on the connection status of the group. For example, when a connection is opened, the first group belongs to the NEW connection, and the subsequent group belongs to the ESTABLISHED connection. The conntrack module is used to process connection traces.

The OUTPUT chain is used to process the connection trace of the locally generated group. The PREROUTING chain is used to process connection traces of all other groups. For more information, see section 15.7.4.