What is Iptables?
Iptables is a powerful application-layer firewall tool under Linux, but after understanding its rules and fundamentals, it is easy to configure.
What is NetFilter?
When it comes to iptables, it is necessary to mention that Netfilter,iptables is an application layer, and its essence is a configuration tool for defining rules, while the core packet interception and forwarding is netfiler.
NetFilter is a packet processing module inside the core layer of the Linux operating system.
Iptables and NetFilter diagram:
As can be seen in this figure, NetFilter is used for the network layer, the packet through the network layer will pass through the NetFilter five mount points (Hook point): pre_routing, INPUT, OUTPUT, FORWARD, post_routing.
Any packet, as long as it passes through this machine, will pass through one of these five mount points.
Iptables Rule principle
The rules of Iptables, also known as the four-table five-chain:
Four tables + five mount points + rules
Four sheets: Filter table, NAT table, mangle table, Raw table
Five mount points: pre_routing, INPUT, OUTPUT, FORWARD, post_routing
Specifically, it is iptables each allow/deny or forward rule must select a mount point and associate a table.
The rule represents the specific operation of the packet, the mount point represents the location of the operation, and the table represents the purpose of the action.
Four sheets of iptables
The more tables that are used now are the top two:
1, filter for filtering;
2, Nat for address translation;
3, mangle modify the data packet;
4, Raw is generally in order to no longer let iptables do the packet tracking processing, skipping other tables, improve performance;
Matching flowchart of packet in rule table and mount point
The following diagram is a flowchart of the packet's mount points, and at each mount point you can see which tables can be used to define the rule:
For the filter table generally can only be done on 3 chains: INPUT, FORWARD, OUTPUT;
For NAT tables, it can only be done on 3 chains: Prerouting, OUTPUT, postrouting.
Record, for the better of myself!
Linux Iptables: Principles and Fundamentals of rules