A tool for defining rules is not itself a firewall. They define rules that can be read by netfilter in kernel space and implemented to make firewalls work. The place where the kernel is placed must be a specific location, and it must be the place where the tcp/ip protocol stack passes. The place where the tcp/ip protocol stack must pass, and the place where the reading rules can be implemented is called netfilter. (network filter)
The author chose a total of 5 locations in the kernel space,
1. In the kernel space: coming in from one network interface, going to another network interface
2. Packets flowing from the kernel into user space
3. Packets flowing out from user space
4. Entering/leaving the external network interface of the machine
5. Entering/leaving the internal network interface of the machine
These five positions are also called five hook functions (hook functions), also called five rule chains.
1.PREROUTING (before routing)
2.INPUT (packet flow entry)
3.FORWARD (forwarding pipe card)
4.OUTPUT (packet exit)
5.POSTROUTING (after routing)
These are the five rule chains specified by NetFilter, any As long as a data packet passes through the machine, it will pass through one of the five chains
There are 3 functions we are using to compare multiple functions:
1.filter defines what is allowed or not allowed
2.nat defines address translation
3.mangle function: modify the original data of the message
For filter, it can only be done on 3 chains: INPUT, FORWARD, OUTPUT.
For nat, it can only be done on 3 chains: PREROUTING, OUTPUT, POSTROUTING
and mangle can be done on 5 chains: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING
The way iptables defines rules is more complicated:
format: iptables [-t table] COMMAND chain CRETIRIA -j ACTION
-t table: 3 filters nat mangle
COMMAND: define how to manage the rules
chain: specify where your next rule is Which on-chain operation can be omitted when defining the strategy
CRETIRIA: Specify matching criteria
-j ACTION: Specify how to process