Linux—iptables (continuously updated)

Others 2021-03-30 06:22:16 views: null

iptables

One, iptables overview

1. Firewall overview

Linux system firewall: IP packet filtering system, it actually consists of two groups netfilter and iptables. Mainly work at the network layer, aiming at IP data packets. Reflected in the processing of information such as the IP address and port in the packet.

2. The relationship between netfilter and iptables

1. netfilter: a firewall function system that belongs to "Kernel Space" (Kernel Space, also known as Kernel Space). It is part of the kernel and consists of some packet filtering tables. These tables contain the set of rules used by the kernel to control the processing of packet filtering. 2. iptables: A firewall management system that belongs to "User Space" (User Space, also known as User Space). It is a command program used to manage the Linux firewall. It makes it easy to insert, modify and delete the rules in the packet filtering table. It is usually located in /sbin/iptables. 3. Netfilter/iptables is called iptables for short later. iptables is a kernel-based firewall with built-in raw, mangle, nat and filter

3. Four watches and five chains

3.1 The role of the rule table: to accommodate various rule chains

Four tables: (After all the rules in the table are configured, they will take effect immediately without restarting the service)

  • raw table: Determine whether to track the status of the packet. Contains two rule chains, OUTPUT, PREROUTING
  • Mangle table: Modify the content of the data packet, which is used for traffic shaping, and set a mark for the data packet. Contains five rule chains, INPUT, OUTPUT, FORMARD, PREROUTNG, POSTROUTING
  • nat table: responsible for network address translation, used to modify the source and destination IP address or port in the data packet. Contains three rule chains, OUTPUT, REROUTTNG, and POSTROUTING.
  • Filter table: Responsible for filtering data packets and determining whether to pass the data packets (filtering). Contains three rule chains, INPUT, FORWARD, OUTPUT
    == Note: Among the four rule tables of iptables, the mangle table and raw table are relatively less used ==

3.2 The role of the rule chain: to accommodate various firewall rules. Summary: there are chains in the table and rules in the chain

Five chains:

  • INPUT: Process inbound data packets and match the data packets of the target IP to this machine.
  • OUTPUT: Process outbound data packets, generally do not configure on this chain.
  • FORWARD: Process and forward data packets, matching data packets flowing through the machine.
  • PREROUTING chain: Process data packets before routing, used to modify the destination address, and used for DNAT. It is equivalent to mapping the IP and port of the internal network server to the external IP and port of the router.
  • POSTROUTING chain: Process data packets after routing selection, used to modify the source address, and used for SNAT. It is equivalent to the internal network through the router NAT conversion function to achieve the internal network host through a public IP address to access the Internet.

4. When a packet arrives at the firewall, the order of priority between the rule tables: raw> mangle> nat> filter

1. The matching order between the rule chains: 1. Host-based firewall: Inbound data (data packets from the outside world, and the destination address is the firewall's local machine); PREROUTING --> INPUT --> the machine's application outbound Data (data packets sent from the firewall to the external address): native application ->OUTPUT -->POSTROUTING 2. Network firewall: forwarding data (data packets that need to be forwarded through the firewall): PREROUTING --> FORWARD --> PREROUTING 2. Matching order in the rule chain: Check in order from top to bottom, and stop when a matching rule is found (an exception to the LOG policy, which means that the relevant log is recorded) If no match is found in the chain The rules of the chain are processed according to the default policy of the chain (unmodified, the default policy is allowed)

Guess you like

Origin blog.csdn.net/weixin_53567573/article/details/115135482
Recommended
LFOSSA Yuanlaisusu Open Course | Mastering the Cloud Native Future: Comprehensive Guide to CNCF Certification and Exam Preparation Tips
Ranking
C++ Basic Syntax
bootstrapTable hides a column based on a condition
Why is reentrant lock recommended instead of Synchronized when dynamic high concurrency?
hexo create a blog
[Fully open source and non-encrypted version] Imitation of the eighth district distribution/online signature/multiple sets of download templates/APP distribution hosting/APP packaging and packaging
Polymerization combination
https://www.flysnow.org/2017/05/06/go-in-action-go-log.html
From the perspective of Flutter and the front-end, talk about how to ensure UI fluency under the single-threaded model
nginx-301, 302 redirect
Geolocation by IP Address in ASP.NET
Daily
More
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)

Code World

© 2018 codetd.com