An easy-to-understand iptables five-table five-chain explanation of Linux firewall

Linux Firewall

• Netfilter is a new generation of Linux firewall mechanism after Linux 2.4.x and a subsystem of the Linux kernel.
• The Linux kernel comes with a firewall function, and the implementation of the firewall is based on the filtering of data packets.

Background Basics

• The Linux operating system processes data through the kernel, just like the main operations of the computer are completed by the CPU.
• A complete Linux operating system consists of the core kernel, the shell responsible for the interaction between the kernel and the outside world, and other external applications
• The Linux kernel space is responsible for receiving external data and dealing with computer hardware such as cpu memory through system calls

The transmission process of data packets in the kernel

• When a data packet enters the network card, the data packet first enters the PREROUTING chain, and the kernel determines whether it needs to be forwarded according to the destination IP of the data packet.
• If the packet is entering the machine, the packet will reach the INPUT chain.
• Once the packet reaches the INPUT chain, any process will receive it.
• Programs running on this machine can send data packets that go through the OUTPUT chain and then arrive at the
  POSTROUTING chain output
• If the packet is to be forwarded and the kernel allows forwarding, the packet will go through the FORWARD chain and then arrive at the POSTROUTING chain output

The legendary five watches and five chains

five chains

INPUT,OUTPUT,FORWARD,PREROUTING,POSTROUTING

• INPUT, into the kernel (including: filter, mangle)
• OUTPUT, out of the kernel (including: filter, nat, mangle, raw)
• FORWARD, forward (includes: filter, mangle)
• PREROUTING, pre-routing check (including: nat, mangle, raw)
• POSTROUTING post routing check (including: nat, mangle, raw)

Five tables

security -->raw-->mangle-->nat-->filter

• filter: filter rule table, filter qualified packets according to predefined rules, the default table
• nat: network address translation address translation rule table
• mangle: Modify the data mark bit rule table
• raw: Disable the enabled connection tracking mechanism to speed up the speed of packets traversing the firewall
• security: used to enforce access control (MAC) network rules, implemented by Linux security modules such as SELinux

Three packet flows

• Flow into this machine: PREROUTING --> INPUT–> User space process
• Out of the machine: user space process --> OUTPUT–> POSTROUTING
• 转发：PREROUTING --> FORWARD --> POSTROUTING

Easy to understand explanation

1. The kernel can be understood as the capital
2. Five chains can be understood as five checkpoints
3. The five tables can be understood as policies such as epidemic prevention, riot prevention, etc.
4. Data packets or data messages can be understood as you who drive a car and plan to enter or leave Beijing.

Inbound data packets flow into this machine

• The PREROUTING chain is the Beijing checkpoint
• Rules include: nat, mangle, raw
• See if you have a 48-hour nucleic acid, whether you have a Beijing entry permit, and whether you meet the epidemic prevention requirements
• If all meet, let it go - "INPUT chain
• If you find that you are just passing through Beijing, persuade you to detour to G95 or the Sixth Ring Road (forwarding)
• If it does not meet the requirements, it will be directly persuaded to return (Drop)

Outbound data packets are sent out by the kernel

• OUTPUT–> POSTROUTING 链
• Rules include: filter, nat, mangle, raw
• Whether the unit or report meets the epidemic prevention requirements, whoever approves it is responsible for it
• Only those who meet the requirements are allowed to leave Beijing, do not leave Beijing unless it is necessary, and prevent malicious return to hometown