iptables
目录

The iptables operates at OSI Layer 3 (Network).

tables

The iptables architecture groups network packet processing rules into tables by function. 3 built-in tables:

  • packet filtering: filter table
  • network address translation (NAT): nat table
  • packet mangling: mangle table
table tables mangle mangle NAT NAT mangle->NAT filter filter NAT->filter

chains

iptables defines five “hook points” in the kernel’s packet processing pathways:

  • PREROUTING: attached by PREROUTING chain
  • INPUT: attached by INPUT chain
  • FORWARD: attached by FORWARD chain
  • POSTROUTING: attached by POSTROUTING chain
  • OUTPUT: attached by OUTPUT chain
mangle hook points for mangle table eth0 eth PREROUTING PREROUTING eth0->PREROUTING INPUT INPUT PREROUTING->INPUT FORWARD FORWARD PREROUTING->FORWARD p1 process INPUT->p1 eth1 eth POSTROUTING POSTROUTING eth1->POSTROUTING OUTPUT OUTPUT POSTROUTING->OUTPUT OUTPUT->INPUT p2 process OUTPUT->p2 FORWARD->POSTROUTING

By default, each table has chains, which are initially empty, for some or all of the hook points. you can add a sequence of rules (chain) for each hook point. Each rule represents an opportunity to affect or monitor packet flow.

NAT hook points for NAT table eth0 eth PREROUTING PREROUTING eth0->PREROUTING INPUT PREROUTING->INPUT POSTROUTING POSTROUTING PREROUTING->POSTROUTING p1 process INPUT->p1 eth1 eth eth1->POSTROUTING OUTPUT OUTPUT POSTROUTING->OUTPUT OUTPUT->INPUT p2 process OUTPUT->p2 filter hook points for filter table eth0 eth PREROUTING eth0->PREROUTING INPUT INPUT PREROUTING->INPUT FORWARD FORWARD PREROUTING->FORWARD p1 process INPUT->p1 eth1 eth POSTROUTING eth1->POSTROUTING OUTPUT OUTPUT POSTROUTING->OUTPUT OUTPUT->INPUT p2 process OUTPUT->p2 FORWARD->POSTROUTING

Another glaces of these tables and chains: Archlinux:iptables

rules

Rules consist of:

  • matches: determine which packets the rule will apply to
  • targets: determine what will be done with the matching packets
rules a chain rules ... policy policy rules->policy rule1 rule1 rule2 rule2 rule1->rule2 rule3 rule3 rule2->rule3 rule3->rules

matches(-m):

  • ah: IPSec protocol
  • length: packet length
  • tcp: TCP packet
  • udp: UDP packet

targets(-j):

  • ACCEPT: go to next table and chain. policy.
  • RETURN: ACCEPT for user-defined chains
  • DROP: drop packet. policy.
  • REJECT: DROP and ICMP replay
  • QUEUE: packet queued for libipq library
  • SNAT: mod source addresses and ports for static IP
  • MASQUERADE: SNAT for dynamic IP
  • DNAT: mod destination addresses and ports
  • REDIRECT: redirect packets to local machine

applications

  • Packet filtering
  • Accounting
  • Connection tracking
  • Packet mangling
  • NAT: mod addresses and/or ports of packets, nat table
  • Masquerading(SNAT): mod source addresses and/or ports through POSTROUTING chain of nat talbe. Target SNAT for static IP of gateway, MASQUERADE for dynamic IP of gateway
  • Port Forwarding(DNAT): mod destination addresses and/or ports through PREROUTING chain of nat
  • Load balancing

tracking

  • connmark
  • conntrack

connection states

  • ESTABLISHED
  • INVALID
  • NEW
  • RELATED
  • ASSURED
  • EXPECTED
  • SEEN_REPLY

tools

  • ethereal
  • nessus
  • nmap
  • ntop
  • ping
  • tcpdump,wireshark/tshark, ngrep
  • traceroute
  • nc
  • tc

commands

Show netfilter rules for table filter(default), nat or mangle:

iptables -t nat -nvL

List all the active rules:

iptables -S

发表评论