Reprinted with attribution:
1. Concept and working principle
iptables is a command used to configure firewalls on Linux systems. iptables works on TCP/IPSecond, third and fourth floors, when a host receives a packet, the packet is firstkernel space processingIf the target address is found to be itself, the packet is passed to the user space to be processed by the corresponding application program; if the target is found not to be itself, the packet will be discarded or forwarded.
1.1 Four tables.
- filter
- nat (for NAT)
- mangle (for modifying grouped data)
- raw (for raw packets)
The most commonly used are filter and nat.
1.2 Five chains.
- PREROUTING: Used for rules performed before routing judgment, for example, DNAT on received packets.
- POSTROUTING: Used for rules executed after routing judgment, for example, SNAT or MASQUERADE for packets sent or forwarded.
- OUTPUT: Similar to PREROUTING, but only handles packets sent out from the local machine.
- INPUT: Similar to POSTROUTING, but only handles packets received from the local machine.
- FORWARD
Flow into this machine:PREROUTING --> INPUT --> user-space processes
Flow out of this machine:Userspace processes -->OUTPUT --> POSTROUTING
Forwarding:PREROUTING --> FORWARD --> POSTROUTING
Intranet to extranet with postrouting SNAT
Extranet to Intranet with prerouting DNA
The white background box in the figure below represents a chain.
command
2.1 Chain management:
-N: new Customize a new rule chain.
-X: delete Deletes a customized empty rule chain.
-P: policy Sets the default policy
ACCEPT:Accept
DROP: Discard
-E:Rename custom chain
2.2 View:
-L: list
-n: displays the address and port number in numeric format
-v:details
2.3 Rules management:
-A : append Supplementary
-I: insert insert
-D:delete Delete
-F: flush Empties the specified rule chain.
-R:replace replaces the rule number in the specified chain
-Z: zero :set zero
Command Usage
iptables -L Lists the rules, defaulting to the filter table.
iptables -t nat -L Lists the rules for the nat table.
[root@node100 ~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination DOCKER all -- anywhere !loopback/8 ADDRTYPE match dst-type LOCAL Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 172.17.0.0/16 anywhere Chain DOCKER (2 references) target prot opt source destination RETURN all -- anywhere anywhere
The first option in iptables can be -A, which indicates that a new rule is added to the chain, or -I, which indicates that the new rule is inserted at the beginning of the ruleset. The next argument specifies the chain.
A chain is a collection of rules
OUTPUT chain it can control all the outgoing traffic (outgoing traffic).
INPUT chain it can control all inbound traffic (incoming traffic).
- -d specifies the destination address of the packet to be matched.
- -s specifies the source address of the packet.
- -j instructs iptables to execute to a specific processing (action)