Linux under Iptables principle

Original link: https://www.cnblogs.com/ggjucheng/archive/2012/08/19/2646466.html

iptables Introduction

Netfilter/iptables (referred to as iptables) constitutes a packet filtering firewall under the Linux platform, like most Linux software, this packet filtering firewall is free, it can replace expensive commercial firewall solution, complete packet filtering, Features such as packet redirection and network address translation (NAT).

Iptables Foundation

A rule is a predefined condition for a network administrator, and the rule is generally defined as "if the packet header conforms to such a condition, it will handle the packet." Rules are stored in the packet-filtering tables of the kernel space, which specify the source address, destination address, transport protocol (such as TCP, UDP, ICMP), and service type (such as HTTP, FTP, and SMTP). When a packet matches a rule, iptables processes the packets according to the method defined by the rule, such as release (accept), Deny (reject), and drop (drop). The primary task of configuring a firewall is to add, modify, and delete these rules.

the relationship between Iptables and NetFilter:

This is the first place to say that the relationship between Iptables and NetFilter is a problem that is easily confusing. A lot of know iptables but don't know netfilter. In fact, Iptables is just a Linux firewall management tool, located in/sbin/iptables. The real firewall function is NetFilter, which is the internal structure of implementing packet filtering in the Linux kernel.

Iptables The process of transmitting packets

① when a packet enters the network card, it first enters the prerouting chain, and the kernel determines whether it needs to be forwarded based on the packet destination IP.
② if the packet is in the native, it will move down the graph to reach the input chain. After the packet has been sent to the input chain, any process will receive it. Programs running on this computer can send packets that go through the output chain and then reach the postrouting chain.
③ if the packet is to be forwarded out and the kernel allows forwarding, the packet will move to the right, through the forward chain, and then to the postrouting chain output.

iptables rules tables and chains:

Table (tables) provides specific functionality, the Iptables contains 4 tables, the filter table, the NAT table, the Mangle table, and the raw table, respectively, to implement packet filtering, network address translation, packet refactoring (modification), and data tracking processing.

Chain (chains) is the path of packet propagation, each chain is actually a checklist in many rules, each chain can have one or several rules. When a packet arrives at a chain, the iptables starts checking from the first rule in the chain to see if the packet satisfies the conditions defined by the rule. If satisfied, the system processes the packet according to the method defined by the rule, otherwise iptables will continue to check the next rule, and if the packet does not conform to any of the rules in the chain, Iptables will process the packet based on the default policy defined by the chain.

Iptables uses a hierarchical structure of "table" and "chain". In REHL4 is three sheets of five chains. Now REHL5 into four table five chain, but the more out of the table with not too much, so basically still the same as before. Here is a list of these four tables and five chains. Note that the relationships and roles of these tables and chains must be understood.

Rules table:

1.filter table--Three chains: INPUT, FORWARD, OUTPUT
Function: Filter the packet kernel module: Iptables_filter.
2.Nat table--Three chains: Prerouting, Postrouting, OUTPUT
Function: For network address translation (IP, port) kernel module: Iptable_nat
3.Mangle table--Five chains: prerouting, Postrouting, INPUT, OUTPUT, FORWARD
Function: Modify the service type of the packet, TTL, and can configure the route to implement the QoS kernel module: iptable_mangle (although this watch is so troublesome, we don't use it when we set up our strategy)
4.Raw table--Two chains: OUTPUT, prerouting
Function: Determines whether the packet is handled by the state tracking mechanism kernel module: Iptable_raw
(This is REHL4 not, but don't be afraid, use not much)

rule chain:

1.input--incoming packets Apply the policy in this rule chain
2.output--outgoing packets Apply policies in this rule chain
3.forward--policies in this rule chain are applied when forwarding packets
4.prerouting--apply rules in this chain before routing packets to a packet
Remember All data packets are processed by this chain when they come in.
5.postrouting--apply the rules in this chain after the packet is routed
(All data packets are processed by this chain first)

order of precedence between rule tables:

Raw--mangle--nat--filter
Order of precedence between rule chains (in three cases):

First case: Inbound Data flow

Packets arriving from the outside of the firewall are first processed by the prerouting rule chain (whether to modify the packet address, etc.), followed by a routing (which determines where the packet should be sent). If the target host of a packet is a firewall native (such as a packet of Internet users accessing a Web server in a firewall host), then the kernel passes it to the input chain for processing (deciding whether to allow the pass, etc.). Respond to applications (such as Apache servers) that are later handed over to the upper system.

Second flush situation: forwarding Data flow

When the packet arrives at the firewall, it is first processed by the prerouting rule chain, and then routed, if the destination address of the packet is a different external address (for example, the LAN user accesses the QQ site's packet through the gateway), The kernel passes it to the forward chain for processing (forwarding or blocking) and then handing it over to the postrouting rule chain (whether to modify the address of the packet).

Third case: Outbound Data flow
When a firewall sends packets to an external address (for example, when a public DNS server is tested in a firewall host), it is first processed by the output rule chain, followed by routing, and then passed to the postrouting rule chain (whether to modify the address of the packet) for processing.

Managing and setting Iptables rules

Linux under Iptables principle