Linux iptables (i)

Linux Packet filtering firewall Overview

NetFilter, iptables can be called the Linux firewall, the difference is that the NetFilter is located in the Linux kernel packet filtering function system, called the Linux Firewall "kernel state", and Iptables is located in/sbin/iptables, is a tool for managing firewall rules, which can be called the "user state" of a Linux firewall.

The role of iptables is to provide rules (policies) for the implementation of packet filtering mechanisms, to tell netfilter what to do with data packets through different rules, and to facilitate management, Iptables uses a hierarchical structure of "tables" and "chains". Called the rule table, the rule chain, the rule table is quite a container, which contains a different chain of rules. According to the different processing time is divided into five kinds of rule chain, in order to put in the different rules table. Four tables are managed according to the different iptables of the function, namely the filter table, the NAT table, the mangle table and the raw table, the chains contained in each table and their respective uses as follows: 650) this.width=650; "src="/HTTP/ S3.51cto.com/wyfs02/m02/54/99/wkiom1shlrvsw0peaag3c2ebhgw307.jpg "title=" "alt=" Wkiom1shlrvsw0peaag3c2ebhgw307.jpg "/>

Filter Table: Determines whether the packet is released (filtered). There are three chains in the table: INPUT, OUTPUT, FORWARD
NAT table: Modifies the source, destination IP address, or port in the packet. Three chains in the table: Prerouting, postrouting, OUTPUT

Mangle table: Set tags for packets, modify the TOS (type of service types), TTL (life cycle). There are five chains in the table: INPUT, OUTPUT, FORWARD, prerouting, postrouting

Raw table: Determines whether a status trace is being made to the packet. Two chains in the table: OUTPUT, prerouting

The different timing of the five rule chains is as follows:

Input chain: The output chain when the packet is inbound: The forward chain when the packet is outbound: When a packet is received that needs to be forwarded to another address through the firewall prerouting chain: postrouting chain before routing the packet: on the packet After routing is selected

What is the order in which the packets are matched to the rule table and the rule chain when they reach the firewall? The following is the solution "" ""

Order between rules tables: When a packet arrives at the firewall, it applies the rules, if any, in the corresponding chain in the raw, mangle, NAT, and filter tables, in turn.

The order between the rule chains: 1, inbound Data flow: first by prerouting chain processing, routing, if the target of the packet is the firewall native, then will be handed to the input chain processing, decide whether to allow through, and then to the system of the upper application to respond.

2, forwarding Data flow: first by prerouting chain processing, routing, and then by forward processing (allow forwarding or interception, discard), and finally to postrouting chain processing (whether to modify the address of the packet and so on). 3, Outbound Data flow: First by the output chain processing, and then to postrouting chain processing.

The order of matching between the firewall rules inside the rule chain:

When the packet passes through each rule chain, it will be followed by first, second ... Rule to match, once a matching rule is found, no further checks are made on the other rules behind the chain, following the principle of "match-and-stop". If none of the matching rules are found, it is handled by default policy.

-------------------------------------------------------------------------------------

Not to be continued .....

This article is from the "southern border," the blog, please be sure to keep this source http://452133dream.blog.51cto.com/8930483/1588121

Linux iptables (i)