Iptables is a powerful firewall tool provided by Linux system, which can implement packet filtering, packet redirection, NAT conversion and so on. Iptables is free, iptables is a tool, and the actual functionality is implemented through the NetFilter module, which is integrated into the Linux kernel by default after the kernel 2.4 version. First, the composition of iptables1. Rule (rules)A rule is a basic unit that iptables the operation of a packet. That is, "when a packet conforms to the criteria defined by the rule, it is processed according to the actions defined in the rule." the conditions defined in the rule typically include the source address/port, destination address/port, transport Protocol (TCP/UDP/ICMP), and so on. The actions defined by rules generally have release (accept), Reject (REJECT), and drop (drop). configuring Iptables is actually adding and removing changes to these rules. 2. Chain (Chains)A chain is a path of packet propagation, and there are several rules in each chain. When a packet arrives at a chain, the iptables is checked from the first rule of the chain in the order of the rule, and if there is a conditional matching rule, the action defined by the rule executes; otherwise, the next rule is checked. If the packet and all the rules in the chain do not match, iptables processes the packet based on the default policy defined by the chain. 3. Table (Tables)The iptables includes 4 tables, the filter table, the NAT table, the Mangle table, and the raw table, respectively, for packet filtering, network address translation, package modification, and data tracking processing. Each table contains several chains, and the rules are added to different chains of different tables depending on the purpose of the implementation. as shown, the various tables related to the chain:
- Raw table has 2 chains: prerouting, OUTPUT
- Mangle table has 5 chains: prerouting, Postrouting, INPUT, OUTPUT, FORWARD
- Nat table has 3 chains: prerouting, Postrouting, OUTPUT
- The filter table has 3 chains: INPUT, FORWARD, OUTPUT
4 Tables with priority: Raw > Mangle > Nat > FilterSecond, the transmission process of iptables
when the packet arrives at the NIC, it first enters the prerouting chain (note that the raw table will not go into the NAT table after processing), complete the matching and execution of the rules in the prerouting chain (such as Dnat), Iptables determines whether the packet should be forwarded if it is a native address based on the destination IP of the packet. 1. If the destination IP of the packet is a native address, it will enter the input chain. You can add packet filtering rules to the input chain of the filter table to restrict which packets can access the machine, and after the rules in the input chain are processed, the remaining packets can be received from any process on the local computer and processed as needed; When the process finishes processing, Packets that need to be sent are processed through the output chain and then reached the postrouting chain, which is processed (such as Snat). 2. If the destination IP of the packet is not a native address (such as a packet that was dnat or just passed as a default gateway), and the system kernel has forwarding enabled (Ip_forward parameter is 1), the packet will enter the forward chain At this time, the corresponding rules can be set in the forward chain of the filter table, and then the forward chain packets go to the postrouting chain for processing (such as executing snat) and the final output. In summary , there are two scenarios for the transport link of the packet in Iptables:First: prerouting, FORWARD, postroutingSecond: OUTPUT, pustrouting, prerouting, INPUT,therefore, in order to control the packet, the main can be added in the above several links rules. (You can find that the LVS NAT mode will go through the prerouting chain (NAT table), forward chain, postrouting chain (NAT table), the forwarding of the request is dnat in the prerouting chain, The response is snat in the postrouting chain. Neither the request nor the response goes to the input chain and the output chain .third, the use of iptables iptables:-I (insert),-A (append),-R (replace),-D (delete),-l (display)Note that-i is inserting the rule into the first row, and-A is appending the rule to the last row of the chain. iptables-f: Clear all the rulesiptables-f-T nat: Rules for clearing NAT tablesiptables-p Input Drop: Configure the default rule for the input chain to dropExample:iptables-t filter-a input-s 192.168.1.10-j ACCEPTThis is a simple rule that appends a rule to the input chain of the filter table, The matching criteria for a rule is that the source IP of the packet is 192.168.1.10, the execution action is allow (ACCEPT), which allows the source IP to be 192.168.1.10 Address of the message access native. in iptables, the default table name is filter, so the above rules can also be written as:iptables-a input-s 192.168.1.10-j ACCEPTThe parameters commonly used in matching conditions of the iptables rule are:
| -S |
Match Source Address |
| -D |
Match Destination Address |
| --sport |
Match Source Port |
| --dport |
Matching Destination port |
| -P |
Matching protocol |
| -I. |
Matching the input NIC |
| -O |
Network adapter for matching output |
| ! |
Take counter |
| -j |
Execution action of the rule |
Example: Configuring NAT forwarding for intranet node access public networkEnvironmental assumptions:Routing node:LAN Port: 192.168.1.10/24 eth0Wan Port: 50.75.153.98/24 eth1Intranet node: 192.168.1.921. Configure the default gateway to be the LAN port of the routing node on the network node, ensuring that the packets from the intranet node can go to the routing node. route add default GW 192.168.1.102. Turn on the route forwarding feature of Linux on the routing node. sysctl-w net.ipv4.ip_forward=13. Set the default policy for the forward chain to dropiptables-p FORWARD DROPThis ensures that the control of the intranet only adds the IP that allows access to the public network to the rule. 4. Allow confirmation packets and association packets to pass between any addresses. iptables-a forward-m State--state established,related-j ACCEPTThis rule is critical, or even adding a rule that allows IP access later is useless. 5. Allow designated IP addresses to access the public networkiptables-a forward-s 192.168.1.92/24-j ACCEPT6. Configure a Snat rule to convert the source IP of the intranet node to a public IP, and then send the message. iptables-t nat-a postrouting-s 192.168.1.92-j SNAT--to 50.75.153.98Example: Configuring NAT forwarding to enable public network users to access intranet nodesEnvironmental assumptions:Routing node:LAN Port: 192.168.1.10/24 eth0Wan Port: 50.75.153.98/24 eth1Intranet node: 192.168.1.921. Turn on the route forwarding feature of Linux on the routing node. sysctl-w net.ipv4.ip_forward=12. Set the default policy for the forward chain to dropiptables-p FORWARD DROPThis ensures control of the intranet, only the IP that is allowed to access is added to the rule. 3. Allow confirmation packets and association packets to pass between any addresses. iptables-a forward-m State--state established,related-j ACCEPTThis rule is critical, or even adding a rule that allows IP access later is useless. 4. Allow access to the specified IP addressiptables-a forward-d 192.168.1.92-j ACCEPT5. Configure a Dnat rule to convert the public address of the Access routing node to the private network address of the intranet node. iptables-t nat-a postrouting-d 50.75.153.98-j DNAT--to 192.168.1.92
PS: Solve the problem of ip_conntrack:table full, dropping packet with iptables raw tableThe raw table contains the prerouting chain and the output chain, with the highest precedence, which allows the packet to process the message before it enters the prerouting chain of the NAT table. When the user has enabled the raw table, the message is processed by the prerouting chain of the raw table, the NAT table and the Ip_conntrack processing are skipped, and the address translation and link tracking of the packet is not processed. so raw tables can be used in situations where NAT and link tracking are not required to improve system performance. Because link tracking is enabled, the system creates a link-tracking table that, when each message comes in, queries the link-tracking table, which can cause excessive system CPU consumption when the system traffic is too large. You can do this by configuring the Notrack tag in the prerouting chain of the raw table so that the packet no longer enters the NAT table for the purpose of no link tracking, such as:iptables-t raw-a prerouting-p tcp-d 192.168.1.10--dport 80-j notrackiptables-a forward-m State--state untracked-j ACCEPTindicates that a message to access the 192.168.1.10:80 service adds a nortrack tag to the prerouting chain of the raw table, and that subsequent messages that access the service are no longer linked. In addition, with the iptables flowchart of Brother Bird, you can see that each chain is also prioritized according to different tables.
Linux Firewall--iptables Learning
