Linux防火墙—netfilter
- netfilter的5个表
- filter表用于过滤包,最常用的表,有INPUT、FORWARD、OUTPUT三个链
- nat表用于网络地址转换,有PREROUTING、POSTROUTING三个链
- managle表用于给数据包做标记,几乎用不到
- raw表可以实现不追踪某些数据包
- security表在centos6中并没有,用于强制访问控制(MAC)的网络规则
netfilter的五个表
- 在centos中只有四个表,并没有security表
[root@hf-01 ~]# man iptables查看五个表 filter: This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets). nat: This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). IPv6 NAT support is available since kernel 3.7. mangle: This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incom‐ ing packets before routing) and OUTPUT (for altering locally-gener‐ ated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out). raw: This table is used mainly for configuring exemptions from connec‐ tion tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the fol‐ lowing built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local pro‐ cesses) security: This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK tar‐ gets. Mandatory Access Control is implemented by Linux Security Modules such as SELinux. The security table is called after the filter table, allowing any Discretionary Access Control (DAC) rules in the filter table to take effect before MAC rules. This table provides the following built-in chains: INPUT (for packets coming into the box itself), OUTPUT (for altering locally-generated pack‐ ets before routing), and FORWARD (for altering packets being routed through the box).
- filter表,就是默认的一个表,包含了三个内置的链:INPUT、FORWARD、OUTPUT
- INPUT链,表示数据进来的包进来要经过的一个链,进入到本机
- 比如,进入到本机后,将80端口进来的数据包,访问80端口的数据包检查下它的原IP是什么,发现可疑的IP需要禁掉
- FORWARD链,这个数据包到了机器,并不会进入内核里,因为这个这数据包不是给你处理的,而是给另外一台机器处理的,所以这时候需要判断下你的目标地址是否为本机,如果不是本机,则需要经过FORWARD这个链
- 在经过 FORWARD链的时候,也会做一些操作,把目标地址做一些更改,或者做一个转发
- OUTPUT链,是在本机产生的一些包,在出去之前做的一些操作
- 比如,这个包是发给某一个IP的,这个IP我要禁掉,不让这个包过去(已加入到黑名单),只要是到那个IP的,都给禁掉。
- INPUT链,表示数据进来的包进来要经过的一个链,进入到本机
- nat表,也有三个链PREROUTING 、OUTPUT、POSTROUTING
- PREROUTING链,这个链用来更改这个数据包——>在进来的那一刻就去更改
- OUTPUT链,它和上面filter表中的OUTPUT链是一样的
- POSTROUTING链,这个链也是更改数据包——>在出去的那一刻更改
- nat表,使用案列
- 路由器的实现的共享上网就是nat实现的
- 端口映射
- mangle表和raw表和security表几乎用不到
参考文章
- iptables传输数据包的过程
- ① 当一个数据包进入网卡时,它首先进入PREROUTING链,内核根据数据包目的IP判断是否需要转送出去。
- ② 如果数据包就是进入本机的,它就会沿着图向下移动,到达INPUT链。数据包到了INPUT链后,任何进程都会收到它。本机上运行的程序可以发送数据包,这些数据包会经过OUTPUT链,然后到达POSTROUTING链输出。
- ③ 如果数据包是要转发出去的,且内核允许转发,数据包就会如图所示向右移动,经过FORWARD链,然后到达POSTROUTING链输出。
- 总结:
- 如果是本机的,则会经过PREROUTING链--->INPUT链--->OUTPUT链--->POSTROUTING链
- 如果不是本机的,则会经过PREROUTING链--->FORWARD链--->POSTROUTING链