Location>code7788 >text

iptables workflow organization

Popularity:439 ℃/2024-09-01 17:03:59

Reprinted with attribution:

1. Concept and working principle

iptables is a command used to configure firewalls on Linux systems. iptables works on TCP/IPSecond, third and fourth floors, when a host receives a packet, the packet is firstkernel space processingIf the target address is found to be itself, the packet is passed to the user space to be processed by the corresponding application program; if the target is found not to be itself, the packet will be discarded or forwarded.

1.1 Four tables.

  • filter
  • nat (for NAT)
  • mangle (for modifying grouped data)
  • raw (for raw packets)

The most commonly used are filter and nat.

1.2 Five chains.

  • PREROUTING: Used for rules performed before routing judgment, for example, DNAT on received packets.
  • POSTROUTING: Used for rules executed after routing judgment, for example, SNAT or MASQUERADE for packets sent or forwarded.
  • OUTPUT: Similar to PREROUTING, but only handles packets sent out from the local machine.
  • INPUT: Similar to POSTROUTING, but only handles packets received from the local machine.
  • FORWARD

Flow into this machine:PREROUTING --> INPUT --> user-space processes
Flow out of this machine:Userspace processes -->OUTPUT --> POSTROUTING
Forwarding:PREROUTING --> FORWARD --> POSTROUTING


Intranet to extranet with postrouting SNAT

Extranet to Intranet with prerouting DNA

                                 

The white background box in the figure below represents a chain.

 

 

command

2.1 Chain management:

-N: new Customize a new rule chain.

-X: delete Deletes a customized empty rule chain.

-P: policy Sets the default policy

ACCEPT:Accept

DROP: Discard

-E:Rename custom chain

2.2 View:

-L: list

-n: displays the address and port number in numeric format

-v:details

2.3 Rules management:

-A : append Supplementary

-I: insert insert

-D:delete Delete

-F: flush Empties the specified rule chain.

-R:replace replaces the rule number in the specified chain

-Z: zero :set zero

Command Usage

iptables -L Lists the rules, defaulting to the filter table.

iptables -t nat -L Lists the rules for the nat table.

[root@node100 ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !loopback/8           ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        anywhere

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

The first option in iptables can be -A, which indicates that a new rule is added to the chain, or -I, which indicates that the new rule is inserted at the beginning of the ruleset. The next argument specifies the chain.

A chain is a collection of rules

 OUTPUT chain it can control all the outgoing traffic (outgoing traffic).

INPUT chain it can control all inbound traffic (incoming traffic).

  • -d specifies the destination address of the packet to be matched.
  • -s specifies the source address of the packet.
  • -j instructs iptables to execute to a specific processing (action)