Home > Article > Operation and Maintenance > Detailed graphic explanation of the principle of iptables in Linux
(1) Netfilter is a Linux 2.4 kernel firewall framework proposed by Rusty Russell. The framework is both simple and flexible and can implement security policies. Many features in the application, such as packet filtering, packet processing, address masquerading, transparent proxy, dynamic Network Address Translation (NAT), and filtering based on user and Media Access Control (MAC) addresses and state-based filtering, packet rate limiting, etc. These rules of Iptables/Netfilter can be flexibly combined to form a large number of functions, covering all aspects, all thanks to its excellent design ideas.
Netfilter is a packet processing module within the core layer of the Linux operating system. It has the following functions:
Network Address Translate
Data packet content modification
Packet filtering firewall
(2) Data packets are formulated in the Netfilter platform Five mount points (Hook Point, we can understand it as a callback function point. When the data packet reaches these locations, our function will be actively called, giving us the opportunity to change their direction and content when the data packet is routed) , these 5 mount points are PRE_ROUTING
, INPUT
, OUTPUT
, FORWARD
, POST_ROUTING
.
(3) The rules set by Netfilter are stored in the kernel memory, and iptables is an application layer application that passes Netfilter The released interface is used to modify the XXtables (Netfilter configuration table) stored in the kernel memory. This XXtables consists of tables tables
, chains chains
, and rules rules
. iptables is responsible for modifying this rule file at the application layer. A similar application is firewalld.
(1) table has filter , nat, mangle and other rule tables;
filter table
Mainly used to filter data packets and decide whether to release them based on specific rules The data packet (such as DROP, ACCEPT, REJECT, LOG). The kernel module corresponding to the filter table is iptable_filter, which contains three rule chains:
##INPUT chain:
INPUT targets those destinations It is a local packet
##FORWARDChain: FORWARD filters all packets that are not generated locally and the destination is not local (that is, the local machine is only responsible for forwarding )
OUTPUT chain: OUTPUT is used to filter all locally generated packets
nat table
is mainly used to modify the IP address, port number and other information of the data packet (network address translation, such as SNAT, DNAT, MASQUERADE, REDIRECT). Packets belonging to a flow (data may be divided into multiple packets due to packet size restrictions) will only pass through this table once. If the first packet is allowed to be NAT or Masqueraded, then the remaining packets will automatically be subjected to the same operation, that is, the remaining packets will not pass through this table. The kernel module corresponding to the table is iptable_nat, which contains three chains <strong></strong>
##
Mainly used to modify the TOS (Type Of Service, service type), TTL (Time To Live, life cycle) of the data packet and set the Mark mark for the data packet to achieve Applications such as Qos (Quality Of Service) adjustment and policy routing are not widely used because they require corresponding routing equipment support. Contains five rule chains - PREROUTING, POSTROUTING, INPUT, OUTPUT, FORWARD. raw table
around over through down is a new table added to iptables since version 1.2.9. It is mainly used to determine whether the data packet is tracked by the state. Mechanism processing. When matching data packets, the rules of the raw table take precedence over other tables. Contains two rule chains - OUTPUT, PREROUTING
<strong></strong>
(2) 4 different states of data packets and 4 types of tracked connections in iptables:
NEW
: This package wants to start a connection (reconnect or redirect the connection)
RELATED
: This package is a new connection established by an already established connection. For example: FTP data transmission connection is the connection RELATED from the control connection. --icmp-type 0
(ping response) is RELATED by --icmp-type 8
(ping request).
ESTABLISHED
:As long as a data connection is sent and a response is received, a data connection changes from NEW to ESTABLISHED, and the status will continue to match the connection. subsequent packets.
INVALID
:The data packet cannot be identified to which connection it belongs or has no status such as memory overflow, and an ICMP message indicating that it does not belong to which connection is received. The error message should generally DROP any data in this state.
INPUTChain:
Rules in this chain are applied when a packet is received (inbound) for the firewall's native address.
#OUTPUTChain: When the firewall natively When sending packets outbound (outbound), the rules in this chain are applied.
##FORWARDChain: When received, it needs to pass The firewall applies the rules in this chain when it sends (forwards) packets to other addresses.
Chain: is processing the data packet Rules in this chain, such as DNAT, are applied before routing.
is operating on the data packet After routing, the rules in this chain, such as SNAT, are applied.
(2) Among them, the INPUT and OUTPUT chains are more commonly used in the "host firewall". That is, it is mainly aimed at the security control of data entering and exiting the server itself; and the FORWARD, PREROUTING, and POSTROUTING chains are more commonly used in "network firewalls", especially when the firewall server is used as a gateway.
4. Principles of Linux Packet Routing
From the above picture, we can summarize the following rules:
When a data packet enters the network card, the data packet first enters the
PREROUTING chainIf the data packet is When entering the local machine (that is, the destination IP of the data packet is the network port IP of the local machine), the data packet will move downward along the diagram and reach the INPUT chain
. After the packet reaches the INPUT chain, any process will - receive itPrograms running on this machine can also send data packets. These data packets go through the OUTPUT chain, and then reach the POSTROTING chain output(note that at this time The SrcIP of the data packet may have been modified by us)
If the data packet is to be forwarded (that is, the destination IP address is no longer in the current subnet), and the kernel allows forwarding , the data packet will move to the right, pass through the FORWARD chain, and then reach the POSTROUTING chain output (select the network port corresponding to the subnet to send out)
When writing iptables rules, always keep this routing sequence diagram in mind, and flexibly configure the rules according to the different Hook points
# command Format:
示 Example: <strong></strong>
1 iptables -I INPUT -s 0/0 -d 192.168.42.153 -p tcp -m multiport --dports 22,80,3306 -j ACCEPT 1 iptables -t filter -I INPUT -d 192.168.42.153 -p tcp --dport 80 -j ACCEPT
1.[-t table name]
: Which table this rule operates on, you can use filter, nat, etc., if not specified, the default is filter<strong></strong>
<strong></strong>
, -n
, view the list of currently running firewall rules
display numbers
:extend matches, this option is used to provide more matching parameters, such as: <strong></strong>
<strong></strong>
##-m state --state ESTABLISHED,RELATED
: Action to process the data packet, including ACCEPT , DROP, REJECT, etc.<strong></strong>
<strong></strong>
DROP
REJECT
SNAT
MASQUERADE is a special form of SNAT, suitable for IPs that change temporarily like adsl
DNAT
:Destination address translation. Contrary to SNAT, before the IP packet passes through the route, the destination address is re-modified, and the source address remains unchanged. A NAT entry is established on the local machine. When the data is returned, the source address is modified according to the NAT table to the destination address when the data was sent. Concurrently to the remote host. The real address of the backend server can be hidden. (Thanks to the netizen for pointing out that this place was written backwards with SNAT) REDIRECT
: It is a special form of DNAT that forwards network packets to the local host (regardless of the target address specified in the IP header) What), it is convenient to do port forwarding on this machine.
LOG
: Record log information in the /var/log/messages file and then pass the packet to the next rule
LOG, after the first three rules match the data packet, the data packet will not continue to match, so the order of writing the rules Extremely critical.
The above is the detailed content of Detailed graphic explanation of the principle of iptables in Linux. For more information, please follow other related articles on the PHP Chinese website!