Deeply convinced that the next afternoon from training courses
Soft with hard anti-anti
Linux packet filtering firewall Overview
netfilter
situated packet filtering system Linux kernel
called Linux firewall "kernel mode"
iptables
located / sbin / iptables, firewall rules to manage tools
called Linux firewall "user mode"
Packet filtering
Level packet filtering work
mainly network layer for IP packets
reflected in the processing of the information of the IP address and port in the packet
iptables table, chain structure
Chain rule
action rule: packet filtering process or
action chain: receiving a variety of firewall rules
Sort chain: packet processing timing different
default rules chain consists of five
INPUT: processing inbound packets
the OUTPUT: the process outbound packets
the fORWARD: forward packets processed
POSTROUTING strand: after performing routing processing packets
PREROUTING strand: performing pre-processing routing data packets
Rule table
action table: receiving chain of rules
divided in accordance with the table: the role of firewall rules similar to
the default rule table includes four
raw table: determining whether the data packet status tracking
mangle table: the data packet flag is set
nat table: modify the source packet, the destination IP address or port
in the filter table: determining whether to release the data packets (filtered)
Packet filtering matching process
Order between the rules table
raw → mangle → nat → filter
order between the rules chain
Inbound: PREROUTING → INPUT
Outbound: OUTPUT → POSTROUTING
forwarding: PREROUTING → FORWARD → POSTROUTING
matching rules in the order of the chain
according to the order check, matching stop (LOG policy exception)
rule if the match is not found, press the default policy processing chain
Packet filtering matching process
raw Traceroute
mangle modify the packet contents
nat forwarding