There are three scenarios when a packet passes through a firewall:
1. Local-Targeted packages
When a packet enters the firewall, if the destination address is native, the order in which the firewall is checked is as follows:
If a packet is discarded at one step, no subsequent checks are performed
Steps |
Table |
Chain |
Description |
1 |
|
|
Data packets are transmitted on the link |
2 |
|
|
Packet into the network interface |
3 |
Mangle |
Prerouting |
This link is used to mangle packets, such as overwriting or marking a package. |
4 |
Nat |
Prerouting |
This chain is mainly used for Dnat. |
5 |
|
|
Routing, such as whether the packet is destined for local or forwarded |
6 |
Mangle |
INPUT |
After routing, before being sent to a local program, such as overwriting or marking a package |
7 |
Filter |
INPUT |
All local-purpose packages need to go through this chain, and the packet's filtering rules are set here |
8 |
|
|
A packet arrives at a local program, such as a service program or client program |
2. Local-sourced packages
The data packets emitted by the local application are checked by the firewall in the following order:
Steps |
Table |
Chain |
Description |
1 |
|
|
Local programs, such as service programs or client programs |
2 |
|
|
Route judgment |
3 |
Mangle |
OUTPUT |
Used to mangle packets, such as overwriting or tagging a package |
4 |
Nat |
OUTPUT |
Dnat operations on the emitted package |
5 |
Filter |
OUTPUT |
Packet filtering is sent locally, and the packet filtering rules are set in this |
6 |
Mangle |
Postrouting |
Making changes to the packet |
7 |
Filter |
Postrouting |
To do snat here. |
8 |
|
|
Packets Leave the network interface and transmit on the link |
3. Forwarded Packets
Packets that need to be forwarded through the firewall are checked by the firewall in the following order;
Steps |
Table |
Chain |
Description |
1 |
|
|
Data packets are transmitted over the link |
2 |
|
|
Enter the network interface |
3 |
Mangle |
Prerouting |
Mangle packets, overwriting or marking packages |
4 |
Nat |
Prerouting |
This chain is mainly done Dnat |
5 |
|
|
Routing, such as whether the packet is destined for local or forwarded |
6 |
Mangle |
FORWARD |
The package continues to be sent to the forward chain of the mangle table, which is a very special case will be used, here, the package is mangle. This mangle happened in the first place. Routing, before the last change to the purpose of the package |
7 |
Filter |
FORWARD |
The forward packet is intermittently sent to this forward chain, only the packets that need to be forwarded To get here, and all the filtering for these packages is also done here, note that all The forwarded packets are going through here. |
8 |
Mangle |
Postrouting |
This chain is also for some special types of packages, this step mangle is changed at all The destination address of the package is done after the operation is complete, but the package is still locally |
9 |
Nat |
Postrouting |
This chain is used to make snat, it is not recommended to filter here, because some packages even Conditions that are not met will also pass |
10 |
|
|
Leaving the network interface |
11 |
|
|
Data packets are transmitted over the link |
When filtering the package, the following 3 actions are often performed.
(1) Accept: Once the packet satisfies the specified match criteria, the packet is accepted and no longer matches the other rules in the current chain or
Other rules within the same table, but the data still needs to be chained through other tables
(2) Drop: If the package meets the criteria, the packet is discarded and no information is returned to the sender, and no information is returned to the route
(3) REJECT: As with drop, the difference is in addition to discarding the package and returning an error message to the sender.
Examples are as follows:
where "policy DROP" indicates that the default rule for the chain is a DROP operation, such as an existing packet, the source address is
192.168.1.58, the destination address is 137.254.60.6, the Protocol is TCP, the destination port is 80, and when the packet passes through the forward chain,
To start the match from the top down, the process is as follows:
(1) 1th rule: source is 192.168.100.0/24, source address does not match
(2) The 2nd rule: The purpose is 69.147.0.0/24, the target does not match
(3) With 3rd rule: source is 172.16.0.0/16, source does not match
(4) With 4th rule: source is 10.0.0.0/24, source does not match
Since all of the above rules are not met, the packet is forwarded to the default rule processing because the default rule for this example is drop,
Because the packet is discarded,
Looking at another packet, the source address is 192.168.1.58, the destination address is 69.147.83.199, the Protocol is TCP, the destination port is 80, and the
When the packet passes through the forward chain, it starts from the top down:
(1) With 1th rule: source is 192.168.100.0/28, source does not match
(2) and 2nd rule: The source address is any (0.0.0.0/0), match; the destination address is 67.147.0.0/24
Because the 69.147.83.199 is within range, matches the source port and destination port, and the Protocol is arbitrary (all), matching: The rule chain to the
The action of the packet is accept, so the packet passes.
If the source address of the packet is 10.0.0.35, the destination address is 69.147.83.199, the Protocol is TCP, and the destination port is 80, when the packet
Through the forward chain, the match is started from top to bottom, when matched to the 4th rule, the action is Mychain, and the packet is
Go to user-defined rule chain mychain for processing
The process of passing a packet through a firewall