Iptables four tables and five chains

Enterprise 2023-10-05 06:44:36 views: null

iptables concept

iptables is just a management tool for Linux firewalls. What truly implements the firewall function is netfilter, which is the internal structure of the Linux kernel that implements packet filtering.

How does iptables filter various rules? Please look at the four tables and five chains below

Four tables and five chains concept

  • filter table - filter packets
  • Nat table - used for network address translation (IP, port)
  • Mangle table - modify the service type and TTL of the data packet, and configure routing to implement QOS
  • Raw table - determines whether the packet is processed by the status tracking mechanism
  • INPUT chain - incoming packets apply the policy in this rule chain
  • OUTPUT chain - outgoing packets apply the policy in this rule chain
  • FORWARD chain - apply the policy in this rule chain when forwarding packets
  • PREROUTING chain - apply the rules in this chain before routing data packets (all data packets are processed by this chain first when they come in)
  • POSTROUTING chain - apply the rules in this chain after routing the data packets (all data packets are processed by this chain first when they come out)

Insert image description here

 Normal access flow chart

Learn iptables concepts and related rules - Zhihu

 Installation of Iptables

[root@k8s-node2 ~]# yum install iptables iptables-services

Launch and view status

[root@k8s-node2 ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
[root@k8s-node2 ~]# systemctl start iptables
[root@k8s-node2 ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
   Active: active (exited) since Thu 2023-07-20 14:52:06 CST; 1s ago
  Process: 5092 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 5092 (code=exited, status=0/SUCCESS)

Jul 20 14:52:06 k8s-node2 systemd[1]: Starting IPv4 firewall with iptables...
Jul 20 14:52:06 k8s-node2 iptables.init[5092]: iptables: Applying firewall rules: [  OK  ]Jul 20 14:52:06 k8s-node2 systemd[1]: Started IPv4 firewall with iptables.
Hint: Some lines were ellipsized, use -l to show in full.
[root@k8s-node2 ~]#

Iptables command line configuration method

Command format

iptables [-t table name] management options [chain name] [matching conditions] [-j control type]

Notes:

• When the table name is not specified, it defaults to the filter table.

• When no link name is specified, it defaults to all links in the table.

• Matching criteria must be specified unless the chain's default policy is set

• Use uppercase letters for control types, all others are lowercase

Commonly used control types
ACCEPT: allow data packets to pass.
DROP: Drop the data packet directly without giving any response information.
REJECT: Refuse to pass the data packet and will give a response message to the data sending end. SNAT: Modify the source address of the data packet. DNAT: Modify the destination address of the data packet.
MASQUERADE: Disguise as a non-fixed public IP address.
LOG: Record log information in the /var/log/messages file, and then pass the data packet to the next rule. LOG is just an auxiliary action and does not actually process the data packet.

Commonly used management options:
-A: Append (-append) a new rule at the end of the specified chain
-I: Insert (-insert) a new rule at the beginning of the specified chain. When no sequence number is specified, it defaults to the first rule.
-R: Modify or replace (–replace) a rule in the specified chain. You can specify the rule number or specific content. -P: Set the
default policy of the specified chain (–policy).
-D: Delete (–delete) the rule in the specified chain. For a certain rule, you can specify the rule number or specific content.
-F: Clear (–flush) all the rules in the specified chain. If the chain name is not specified, clear all the chains in the table.
-L: List (–list) the specified chain. All rules in the table, if no chain name is specified, list all chains in the table
-n: Use numeric form (-numeric) to display the output results, such as displaying IP addresses instead of host names
-v: Display detailed information, including each The number of matching packets and matching bytes of a rule
–line-numbers: When viewing a rule, the sequence number of the rule is displayed.
 

Guess you like

Origin blog.csdn.net/Jack_chao_/article/details/131829901
Recommended
NetBSD bans submission of code generated by AI
Ranking
Talk dubbo of LRUCache
Chapter 1 Learning Summary
Introduction to Virtualization
pytorch 调用lstm
Six modules
[8086] The natural number of 1 to 36 into a 6x6 two-dimensional array of line-sequentially, and then print out the lower left half of the triangular array
mybatis mapper mapping file $ # {} {} understanding and
C language input and output buffer
c language floating-point input and output
andorid P version compatible, refer to Huawei
Daily
More
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)

Code World

© 2018 codetd.com