iptables 2022-09-15
iptables
all notes below come from iptables 1.8.4
iptables/ip6tables
iptables/ip6tables — administration tool for IPv4/IPv6 packet filtering and NAT.
Iptables and ip6tables are used to set up, maintain, and inspect [the tables of IPv4 and IPv6 packet filter rules] in the Linux kernel.(作用于内核)
iptables 3个主要概念
table / chain / rule
table
5个独立的table(具体到一台机器上有哪些table需要看the kernel configuration options, to do)
- filter. 包过滤。default table. It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets)
- nat. 网络地址转换
- mangle. 包修改
- raw. 数据跟踪
- security. This table is used for Mandatory Access Control (MAC) networking rules
表的处理优先级:raw>mangle>nat>filter>security
chain
Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.
五个built-in规则链名: INPUT、OUTPUT、FORWARD、PREROUTING、POSTROUTING
注意:
- 每个table的chain都是私有的,不同table的同名chain不是同一个chain
- 每一条链其实就是众多rule组成的一个check list。每条链都有一个默认策略,当该链上的所有rule都无法匹配,则执行该链的默认策略
rule
A rule specifies criteria for a packet and a target.
rule规定了【什么packet】做【什么操作】
Each rule specifies what to do with a packet that matches. This is called a target', which may be a jump to a user-defined chain in the same table. 因此,一条rule-specification`包含2部分,【什么packet】 + 【什么操作】
rule-specification = [matches...] [target]
match = -m matchname [per-match-options]
target = -j targetname [per-target-options]
eg.
/usr/sbin/iptables -t nat -I OUTPUT -d 8.8.8.8 -p tcp --dport 6500 -j DNAT --to-destination 9.9.9.9:6500
其中
-t nat指定table nat
-I OUTPUT表示在chain OUTPUT的链首插入指定的rule-specification
-d 8.8.8.8 -p tcp --dport 6500规定了,目的地为8.8.8.8:65000 的 tcp packet适用该rule
-j DNAT --to-destination 9.9.9.9:6500规定了,对适用该rule的packet做DNAT转换,将请求发送到9.9.9.9:6500
- If the packet does not match, the next rule in the chain is examined;
- if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain, one of the tar‐
gets described in iptables-extensions, or one of the special values ACCEPT, DROP or RETURN.
ACCEPT means to let the packet through.
DROP means to drop the packet on the floor.
RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain.
If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.
iptables 数据包流转
iptables数据包流转(图片来源于网络)
可以看到,PREROUTING、INPUT、FORWARD、OUTPUT、POSTROUTING这5条链各司其职,分别把控不同的关卡
【数据包是在链上流动的,从一个链流到另一个链】。例如,外部数据包想流入本机,首先进入PREROUTING链,而table raw、mangle和nat内部都定义了PREROUTING链,因此按照表优先级,外部数据包如顺利流动,将依次经过raw、mangle和nat的PREROUTING链
指定table和chain并设置rule,我们就知道这个rule到底在数据包流转的什么位置发生作用
查看iptables rules
iptables -L [chainname] [-t table]
eg. iptables -L FORWARD -t nat 查看nat表的FORWARD链
带行号查看iptables rules
iptables -L --line-numbers [chainname] [-t table]
删除iptables配置
iptables -D chain Delete matching rule from chain
iptables -D chain rulenum Delete rule rulenum (1 = first) from chain
