Netfilter is a new generation of Linux firewall mechanism after Linux 2.4.x and a subsystem of the Linux kernel.
The Linux kernel comes with a firewall function, and the implementation of the firewall is based on the filtering of data packets.
Background Basics
The Linux operating system processes data through the kernel, just like the main operations of the computer are completed by the CPU.
A complete Linux operating system consists of the core kernel, the shell responsible for the interaction between the kernel and the outside world, and other external applications
The Linux kernel space is responsible for receiving external data and dealing with computer hardware such as cpu memory through system calls
The transmission process of data packets in the kernel
When a data packet enters the network card, the data packet first enters the PREROUTING chain, and the kernel determines whether it needs to be forwarded according to the destination IP of the data packet.
If the packet is entering the machine, the packet will reach the INPUT chain.
Once the packet reaches the INPUT chain, any process will receive it.
Programs running on this machine can send data packets that go through the OUTPUT chain and then arrive at the POSTROUTING chain output
If the packet is to be forwarded and the kernel allows forwarding, the packet will go through the FORWARD chain and then arrive at the POSTROUTING chain output
The legendary five watches and five chains
five chains
INPUT,OUTPUT,FORWARD,PREROUTING,POSTROUTING
INPUT, into the kernel (including: filter, mangle)
OUTPUT, out of the kernel (including: filter, nat, mangle, raw)
raw: Disable the enabled connection tracking mechanism to speed up the speed of packets traversing the firewall
security: used to enforce access control (MAC) network rules, implemented by Linux security modules such as SELinux
Three packet flows
Flow into this machine: PREROUTING --> INPUT–> User space process
Out of the machine: user space process --> OUTPUT–> POSTROUTING
转发:PREROUTING --> FORWARD --> POSTROUTING
Easy to understand explanation
The kernel can be understood as the capital
Five chains can be understood as five checkpoints
The five tables can be understood as policies such as epidemic prevention, riot prevention, etc.
Data packets or data messages can be understood as you who drive a car and plan to enter or leave Beijing.
Inbound data packets flow into this machine
The PREROUTING chain is the Beijing checkpoint
Rules include: nat, mangle, raw
See if you have a 48-hour nucleic acid, whether you have a Beijing entry permit, and whether you meet the epidemic prevention requirements
If all meet, let it go - "INPUT chain
If you find that you are just passing through Beijing, persuade you to detour to G95 or the Sixth Ring Road (forwarding)
If it does not meet the requirements, it will be directly persuaded to return (Drop)
Outbound data packets are sent out by the kernel
OUTPUT–> POSTROUTING 链
Rules include: filter, nat, mangle, raw
Whether the unit or report meets the epidemic prevention requirements, whoever approves it is responsible for it
Only those who meet the requirements are allowed to leave Beijing, do not leave Beijing unless it is necessary, and prevent malicious return to hometown