# The data packet is transmitted locally as the destination; steptablechaincomment1 is transmitted online (for example, Internet); 2 is connected to an interface (for example, eth0); 3 is the mangle prerouting chain used to mangle data packets, for example, the four Nat prerouting chains such as ToS are mainly used for DNAT. Do not worry about this chain, because in some cases the package will slide. 5. route determination. For example, if a packet is sent to a local device, it must be forwarded. 6. the mangle input packet is sent to the local program after the route. 7. filter input all local-targeted packages must pass through this chain. The filtering conditions for these packages are located here, no matter where they come from. 8. After arriving at the local program (for example, a service program or customer Program), locate the local program (for example, a service program or customer program) in step table chain comment1 (for example, a service program or customer program) 2 route judgment, you need to use the source address, outgoing interface, and other information. 3 The mangle output can be a mangle package here. We recommend that you do not filter data here, which may cause side effects. 4. The Nat output chain performs the DNAT operation on the packets sent from the firewall. 5. filter output filters the packets sent locally. 6. the mangle postrouting chain is mainly after the package DNAT. Once a local package is generated, it must be processed by the routing code. However, the specific location of the package must be determined after the NAT code is processed. So this is called the actual route .), Before leaving the local device, mangle the package. There are two types of packages that will pass through here, the packages generated by the sub-firewall itself, and the packets to be forwarded. 7. Nat postrouting performs SNAT here. But do not filter here, because there are side effects, and some packages will slide over, even if you use the drop policy. 8. Exit interface 9: the packet forwarded by the supervisor is transmitted online through step table chain comment1. The packet is transmitted online through 2: The interface (for example, eth0) 3. mangle prerouting mangle data packets, such as changing tos. 4. Nat prerouting is mainly used for DNAT. Do not worry about this chain, because in some cases the package will slide. SNAT will be performed later. 5. route determination. For example, if a packet is sent to a local device, it must be forwarded. 6. the mangle forward package is sent to the forward chain of the mangle table, which is used in special cases. Here, the package is Mangle (remember what mangle means ). This mangle occurs after the original route judgment and before the goal of the last packet change (note: this is what the following forward chain does, because of its filtering function, may change the destination of some packages, such as discarded packets ). 7. The filter forward package is sent to this forward chain. Only packets that need to be forwarded will go here, and all Filtering for these packets will also be done here. Note that all packets to be forwarded must go through this process, whether from the Internet to the Intranet or from the Intranet to the Internet. Consider this when writing rules by yourself. 8 mangle postrouting is also applicable to some special types of packages, the two links of the mangle table are used in special applications ). In this step, mangle is done after all the operations on changing the package's object address are completed, but the package is still local. 9 Nat postrouting is used for SNAT, and also includes masquerade ). But do not filter here, because some packages pass even if they do not meet the conditions. 10 Exit interface (for example, eth0) 11 is transmitted online again (for example, LAN) When # iptable Syntax: iptables [-T table] command [Match] [target/jump] Table: Nat Network Address Translation mangle packet modification changes the content of different packets and headers, such as TTL, in TOS or markfilter, packet filtering performs operations such as drop, log, accept, and reject on the package. Command:-A, -- append, and iptables-A input... -D, -- delete example: iptables-D input -- dport 80-J Dr OP | iptables-D input 1-r, -- replace replacement example: iptables-r input 1-s 192.168.0.1-J DROP-I, -- insert example: iptables-I input 1 -- dport 80-J ACCEPT-L, -- list listing example: iptables-l INPUT-F, -- flush clear example: iptables-F INPUT-Z, -- zero linked list return example: iptables-Z INPUT-N, -- New-chain create chain table example: iptables-N allowed-X, -- delete-chain Delete chain table example: iptables-x allowed-P, -- policy setting default target example: iptables-P input DROP-E, -- rena Me-chain rename Linked List Example: iptables-e allowed disallowedmatch:-P, -- protocol matching protocol/etc/protocols defines all refers to tcp udp icmp example: iptables-A input-p tcp implicit match: TCP matches -- Sport, -- source-Port: iptables-A input-p tcp -- Sport 22 | [22: 80] -- dport, -- destination-Port: iptables-A input-p tcp -- dport 22 -- TCP-flags match the specified TCP Tag: SYN, FIN, Ack syn -- TCP-Option Based on the matching packet UDP matches -- Sport, -- S Ource-port is similar to TCP -- dport, -- destination-port is similar to tcpicmp matches -- ICMP-type-S, -- SRC, -- Source IP source address matches to obtain the reverse -- source! 192.168.0.0/24 For example: iptables-A input-s 192.168.1.1-D, -- DST, -- Destination IP destination address match similar to-s-I, -- In-interface match to enter the NIC to retrieve the reverse-I! Eth0 example: iptables-A input-I eth0-o, -- Out-interface match out of the network card to obtain the anti-I! Eth0 example: iptables-A input-I eth0-f, -- fragment match a fragmented package-M explicit match: limit match -- limit iptables-A input-m limit -- limit 3/hour -- limit-burst iptables-A input-m limit -- limit-burst 5mac match -- Mac-source is only available in prerouting, for example, iptables-A input-M Mac -- Mac-source 00: 00: 00: 00: 00: 00: 01 multiport match multi-port -- source-port iptables-A input-p tcp-M multiport -- source-port 80,110, -- desti Nation-port iptables-A input-p tcp-M multiport -- destination-port 80,110, -- Port iptables-A input-p tcp-M multiport -- port, 80,110 owner Match Package producer match -- UID-owner specified user example: iptables-A output-M owner -- UID-owner 500 -- GID-owner specifies the group -- PID-owner specifies the process -- Sid-owner session idstate Match Package status match -- state example: iptables-A input-M state -- state related, establishedtos match TOS field match -- TOS example: iptables-A input-P TCP-m tos -- TOS 0x16ttl match TTL value match -- TTL example: iptables-A output-m ttl -- TTL 60 target/jump: -- jump from jump to the specified table iptables-A input-p tcp-J tcp_packets (prerequisite: iptables-N tcp_packets) accept target-J accept jumps out of the following match, use iptablednat target -- to-destination to specify the address of the IP header to be written. This is also an example of where the package will be forwarded: iptables-T Nat-A prerouting-p tcp-D 15.45.23.67 -- dport 80-j dnat -- to-destination 192.168.1.1-192.168.1.10drop target drop another One method rejectlog target records the log -- log-level tells iptables and Syslog which record level to use -- log-Prefix tells iptables to add the specified prefix before the recorded information -- log-TCP-Sequence record the TCP serial number of the packet together with other log information -- option for logging the unchanged field size in the TCP packet header -- log-IP-options record that the field size in the IP packet header remains unchanged the mark target option can only set the mark value in the local mangle table, this value is an unsigned integer. Masquerade target is the source object address in the IP header. Queue target is the user space program or application software management package queue. Redirect target is located in the host of the firewall. the internal forwarding packet or flow to another port can only be used in the prerouting, output chain of the NAT table and the Self-called For example, iptables-T Nat-A prerouting-p tcp -- dport 80-J redirect -- to-ports 8080 reject targetreject and drop are basically the same in the definition chain, the difference is that in addition to blocking packets, the sender is also returned with the error message -- reject-with specified to only return the error iptables-a forward-p tcp -- dport 22-J reject -- reject-with TCP-resetreturn target for certain protocols. the package returns to the previous layer, that is, if the packet encounters return in the sub-chain, the next rule of the parent chain is returned to continue. If the return is in the parent chain, the Default policy (generally accept or drop) is returned) SNAT target is used to perform source network address translation, that is, to rewrite the source IP address of the package. SNAT can only be used in the postrouting chain of the NAT table, for example, iptables. -T Nat-A postrouting-p tcp-O eth0-j snat -- to-source 194.236.50.155-194.236.50.160: 1024-32000tos targettos is used to set the type of service field in the IP header to transmit routing information using the packet header, TOS is the only method. TTL targetttl can be used to modify the value of the time to live field in the IP header. TTL can only be used in the mangle table. Example: iptables-T mangle-A prerouting-I eth0-J TTL -- TTL-set 64 ulog targetulog can record the information of the matched package in the user space, this information and the entire package will be multicast through netlink socket. -- Ulog-nlgroup specifies the Netlink group to which the package is sent: iptables-A input-p tcp -- dport 22-J ulog -- ulog-nlgroup 2 -- ulog-prefix is used in the same way as log prefix -- ulog-cprange specifies that each package is directed to "ulog the number of bytes sent by the proxy in the user space defaults to 0 iptables-A input-p tcp -- dport 22-J ulog -- ulog-cprange 100 -- ulog-qthreshold to tell the ulog to the user space before sending data for record, iptables-A input-p tcp -- dport 22-J ulog -- ulog-qthreshold 10