iptables is a software application running in user space, by controlling the Linux kernel netfilter module ,, with the support of the kernel module Xtables to manage the process and forward IPv4 network packets. For IPv6 packets, should be used ip6tales. Currently, iptables support kernel 2.4 or later, Linux 3.13 to start using nftables Instead, while still providing the iptables command as compatible interface.
iptables, ip6tables Xtables frame so used. There is "table (tables)", "chain (chain)" and "rules (rules)" three levels.
Each "sheet" refers to different types of data packet processing flow, and each table may be present in a plurality of "chain", the reservation system according to the rules of the data packet through a built-in chain. There may be a number of "rules" in the "chain", the rules are matched one by one, if a match is made, the appropriate action, such as modifying the packet, or jump. Jump can be directly accept the packet or reject the packet, the other chain may jump to continue to match, or return to the caller from the current chain strand. When the chain all the rules are still not executing the jump, the ( "policy") to perform the corresponding action by the default policy of the chain; if there is no default action, is returned to the caller chain. filter table is the default table, if the table is not specified in this table is used, it is typically used to filter the packet, which includes a built-in chain:
INPUT, input chain, packets destined for the machine by the chain.
The OUTPUT, the output chain of the machine from the data packets sent by the chain.
FORWARD, FORWARD, forwarding chain, the unit forwarding the packets through the chain.
nat table used for address conversion operation, built-in chain which comprises:
The PREROUTING, chain before routing, the routing rules prior to treatment by the chain, usually for purposes of address translation (DNAT).
After the POSTROUTING, routing the chain, the chain is completed by the routing rules, commonly used for source address translation (SNAT).
The OUTPUT, the output of the chain, the PREROUTING similar, but the packet processing unit makes.
mangle table for processing data packets. The main difference lies in its nat table and, nat table mangle table focused emphasis connecting each packet. Wherein the built-in chain comprising: PREROUTING, OUTPUT, FORWARD, INPUT, POSTROUTING. Table raw handle exceptions, the following two built-in chains: PREROUTING, OUTPUT.
Superuser (root) configured to display on the firewall "iptables -L" instruction. Complete configuration can add or -vv -v parameter to display more detailed information, or use iptables-save -c command current generated by the export table. One of the important functions of iptables is to convert the port and / or address. One of the important functions of iptables is to convert the port and / or address. The following example shows the default HTTP port 80 by the steering packet 8080. In this way, HTTP daemon may allow guided by the general user permissions, without the need for the average user can not be tied to the port number 1024 in the port following restrictions further consideration of the issue.
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
If you run the above command on your computer, it only would be connected to the external effect of IP on your machine happen. Originated from the local end of the connection is not set up to follow the nat table PREROUTING chain. If you want the local side also follow the rules, you can additionally type the following command:
iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080
Packet output on the rule 80 will shift from the port interfaces lo to 8080 above. Now there is a small local area network by a Linux host as a router to share an address access Internet. Assume LAN interface is eth0, addresses 192.168.0.0/24; and Internet interface eth1, the address used is 198.51.100.3.
When LAN users access the Internet, the source address needs to be converted to 198.51.100.3, enter the command:
iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -o eth1 -j SNAT --to 198.51.100.3
If you need to open the HTTP service on the LAN 192.168.0.2, you can set the appropriate DNAT service, the access to external TCP port 80 redirect packets:
iptables -t nat -I PREROUTING -p tcp -d 198.51.100.3 --dport 80 -j DNAT --to 192.168.0.2
Note that, in the forwarding operations necessary to allow the filter table FORWARD chain, and open forwarding system.
references:
- https://www.linux.com/learn/intro-to-linux/2017/8/iptables-rules-ipv6
- https://netfilter.org/projects/nftables/
- https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html
- https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Security_Guide/s1-firewall-ipt-fwd.html