10.13 netfilter5表5鏈介紹

Linux防火牆—netfilter

• netfilter的5個表
• filter表用於過濾包，最經常使用的表，有INPUT、FORWARD、OUTPUT三個鏈
• nat表用於網絡地址轉換，有PREROUTING、POSTROUTING三個鏈
• managle表用於給數據包作標記，幾乎用不到
• raw表能夠實現不追蹤某些數據包
• security表在centos6中並無，用於強制訪問控制（MAC）的網絡規則
• 參考文章

netfilter的五個表

• 在centos中只有四個表，並無security表

[root@hf-01 ~]# man iptables

查看五個表
              filter:
                  This is the default table (if no -t option is passed). It  contains
                  the  built-in chains INPUT (for packets destined to local sockets),
                  FORWARD (for packets being routed through the box), and OUTPUT (for
                  locally-generated packets).

              nat:
                  This table is consulted when a packet that creates a new connection
                  is encountered.  It consists of three  built-ins:  PREROUTING  (for
                  altering  packets  as  soon  as they come in), OUTPUT (for altering
                  locally-generated packets before  routing),  and  POSTROUTING  (for
                  altering packets as they are about to go out).  IPv6 NAT support is
                  available since kernel 3.7.

              mangle:
                  This table is used for specialized packet alteration.  Until kernel
                  2.4.17  it had two built-in chains: PREROUTING (for altering incom‐
                  ing packets before routing) and OUTPUT (for altering locally-gener‐
                  ated  packets  before  routing).   Since kernel 2.4.18, three other
                  built-in chains are also supported: INPUT (for packets coming  into
                  the box itself), FORWARD (for altering packets being routed through
                  the box), and POSTROUTING (for altering packets as they  are  about
                  to go out).

              raw:
                  This  table  is used mainly for configuring exemptions from connec‐
                  tion tracking in combination with the NOTRACK target.  It registers
                  at  the  netfilter  hooks  with  higher priority and is thus called
                  before ip_conntrack, or any other IP tables.  It provides the  fol‐
                  lowing  built-in  chains:  PREROUTING (for packets arriving via any
                  network interface) OUTPUT (for  packets  generated  by  local  pro‐
                  cesses)

              security:
                  This  table  is  used for Mandatory Access Control (MAC) networking
                  rules, such as those enabled by the SECMARK  and  CONNSECMARK  tar‐
                  gets.   Mandatory  Access  Control is implemented by Linux Security
                  Modules such as SELinux.  The security table is  called  after  the
                  filter table, allowing any Discretionary Access Control (DAC) rules
                  in the filter table to take effect before MAC  rules.   This  table
                  provides  the  following built-in chains: INPUT (for packets coming
                  into the box itself), OUTPUT (for altering locally-generated  pack‐
                  ets before routing), and FORWARD (for altering packets being routed
                  through the box).

• filter表，就是默認的一個表，包含了三個內置的鏈：INPUT、FORWARD、OUTPUT
  • INPUT鏈，表示數據進來的包進來要通過的一個鏈，進入到本機
    • 好比，進入到本機後，將80端口進來的數據包，訪問80端口的數據包檢查下它的原IP是什麼，發現可疑的IP須要禁掉
  • FORWARD鏈，這個數據包到了機器，並不會進入內核裏，由於這個這數據包不是給你處理的，而是給另一臺機器處理的，因此這時候須要判斷下你的目標地址是否爲本機，若是不是本機，則須要通過FORWARD這個鏈
    • 在通過 FORWARD鏈的時候，也會作一些操做，把目標地址作一些更改，或者作一個轉發
  • OUTPUT鏈，是在本機產生的一些包，在出去以前作的一些操做
    • 好比，這個包是發給某一個IP的，這個IP我要禁掉，不讓這個包過去（已加入到黑名單），只要是到那個IP的，都給禁掉。
• nat表，也有三個鏈PREROUTING 、OUTPUT、POSTROUTING
  • PREROUTING鏈，這個鏈用來更改這個數據包——>在進來的那一刻就去更改
  • OUTPUT鏈，它和上面filter表中的OUTPUT鏈是同樣的
  • POSTROUTING鏈，這個鏈也是更改數據包——>在出去的那一刻更改
• nat表，使用案列
  • 路由器的實現的共享上網就是nat實現的
  • 端口映射
• mangle表和raw表和security表幾乎用不到

參考文章

• 參考文章
• iptables傳輸數據包的過程
  • ① 當一個數據包進入網卡時，它首先進入PREROUTING鏈，內核根據數據包目的IP判斷是否須要轉送出去。
  • ② 若是數據包就是進入本機的，它就會沿着圖向下移動，到達INPUT鏈。數據包到了INPUT鏈後，任何進程都會收到它。本機上運行的程序能夠發送數據包，這些數據包會通過OUTPUT鏈，而後到達POSTROUTING鏈輸出。
  • ③ 若是數據包是要轉發出去的，且內核容許轉發，數據包就會如圖所示向右移動，通過FORWARD鏈，而後到達POSTROUTING鏈輸出。

• 總結：

1. 若是是本機的，則會通過PREROUTING鏈--->INPUT鏈--->OUTPUT鏈--->POSTROUTING鏈
2. 若是不是本機的，則會通過PREROUTING鏈--->FORWARD鏈--->POSTROUTING鏈