Iptables command details

I. Preface

A firewall is used to implement access control in Linux. It can be divided into two types: hardware or software firewalls. In any network, the firewall must work on the edge of the network. Our task is to define how the firewall works. This is the firewall policy and rules, so that it can detect inbound and outbound IP addresses and data.

Currently, layer-3 and layer-4 firewalls are common on the market, such as network layer firewalls and layer-7 firewalls, which are actually proxy layer gateways.

For the layer-7 TCP/IP model, we know that the layer-3 is the network layer, and the layer-3 firewall will detect the source and target addresses on this layer. However, for a layer-7 firewall, no matter what your source port or target port, source address or target address is, all your items will be checked. Therefore, the layer-7 firewall is more secure, but the efficiency is lower. Therefore, the common firewall solutions on the market are both combined. However, because we all need to access the port controlled by the firewall, the working efficiency of the firewall has become the most important control over how much data users can access, poor configuration may even cause traffic bottlenecks.

Ii. How iptables works

Iptables structure: iptables-> Tables-> Chains-> Rules. In short, tables consists of chains, which are also composed of rules. As shown in.

 

Five rule chains.

1. PREROUTING (before routing)

2. INPUT (data packet inbound port)

3. FORWARD (forwarding Manager)

4. OUTPUT (data packet egress)

5. POSTROUTING (after routing)

This is the five rule chains specified by NetFilter. Any data packet that passes through the local machine will pass through one of these five chains.

Iptables has four built-in tables: Filter, NAT, Mangle, and Raw:

1. Filter table

Filter indicates the default table of iptables. Therefore, if you do not have a custom table, the filter table is used by default. It has the following three built-in links:

• INPUT chain-process external data.

• OUTPUT chain-process data that is sent out.

• FORWARD chain-FORWARD data to other Nic devices on the local machine.

2. NAT table

A nat table has three built-in links:

• PREROUTING chain-processes data packets that have just arrived at the local machine and are forwarded before the route. It will convert the destination ip address (destination ip address) in the data packet, usually used for DNAT (destination NAT ).

• POSTROUTING chain-processes packets that are about to exit the local machine. It will convert the source ip address in the data packet, which is usually used for SNAT (source NAT ).

• OUTPUT chain-processes data packets generated by the local machine.

3. Mangle table

The Mangle table is used to specify how data packets are processed. It can change the QoS bit in the TCP header. The Mangle table has five built-in chains:

• PREROUTING

• OUTPUT

• FORWARD

• INPUT

• POSTROUTING

4. Raw table is used to handle exceptions. It has two built-in links:

• PREROUTING chain

• OUTPUT chain

Iptables also supports custom chains. However, a custom chain must be associated with a specific chain. In a level setting, specify to find a specific chain for processing when there is data, and then return after the chain is processed. Check the link.

Note: The order of rules is critical. The stricter the rules, the more advanced the rules should be placed. When checking rules, they should be checked from top to bottom.

 

Keep in mind the following three-point key to understanding iptables rules:

• Rules includes a condition and a target)

• If conditions are met, the rule or specific value in the target will be executed.

• If the condition is not met, the next Rules is determined.

Special value specified in target:

• ACCEPT-allow the firewall to receive packets

• DROP-firewall discard Packet

• QUEUE-firewall transfers data packets to user space

• RETURN-the Firewall stops executing the subsequent Rules in the current chain and returns to the call chain.

Recommended reading:

Iptables-packet filtering (Network Layer) Firewall

Linux Firewall iptables

Iptables + L7 + Squid implements a complete software firewall

Basic use of iptables backup, recovery, and firewall scripts

Detailed description of firewall iptables usage rules in Linux