# iptables 工作机制 ## iptables 介绍 iptables 和 ip6tables 用于在 Linux 内核中设置、管理和检查 IPv4 和 IPv6 数据包过滤规则的 **表**(Tables)。每个表都包含了一些内建或者是用户定义的 **链**(Chains)。每个链都是一个由 **规则**(Rules)组成的列表,用于匹配一组的数据包。每条规则都指定了如何处理已匹配的数据包,这被称为 **目标**(Target),例如可以将数据包跳转到同一个表中的用户定义的链中。 | 表 **Tables** | 内建的链 **built-in Chains** | 作用 | | ------------------------ | ---------------------------- | ----------------------------------------------------- | | Filter(未指定 `-t` 选项时的默认值) | INPUT | for packets destined to local sockets | | | FORWARD | for packets being routed through the box | | | OUTPUT | for locally-generated packets | | NAT | PREROUTING | for altering packets as soon as they come in | | | OUTPUT | for altering locally-generated packets before routing | | | POSTROUTING | for altering packets as they are about to go out | | Mangle | PREROUTING (kernel 2.4.17+) | for altering incoming packets before routing | | | OUTPUT (kernel 2.4.17+) | for altering locally-generated packets before routing | | | INPUT (kernel 2.4.18+) | for packets coming into the box itself | | | FORWARD (kernel 2.4.18+) | for altering packets being routed through the box | | | POSTROUTING (kernel 2.4.18+) | for altering packets as they are about to go out | | Raw | PREROUTING | for packets arriving via any network interface | | | OUTPUT | for packets generated by local processes | ## 一图概览 ``` local process ----------^-----------------------------------------------------------v----- ^ | | v +--------------+ +---------------+ | Filter#input | | Raw#output | +--------------+ +---------------+ | | +--------------+ +---------------+ | SNAT#input | | Mangle#output | +--------------+ +---------------+ | | +--------------+ +---------------+ | Mangle#input | | NAT#output | +--------------+ +---------------+ ^ | | +---------------+ | | Filter#output | | +---------------+ | | | +----------------+ +----------------+ v +------->| Mangle#forward |----->| Filter#forward |+------->+ ^ +----------------+ +----------------+ | | v +-------------------+ +--------------------+ | DNAT#prerouting | | Mangle#postrouting | +-------------------+ +--------------------+ | | +-------------------+ +--------------------+ | Mangle#prerouting | | SNAT#postrouting | +-------------------+ +--------------------+ | | +-------------------+ v | Raw#prerouting | | +-------------------+ | ^ | | v ----------^-----------------------------------------------------------v----- network ``` ## 参考资料 * [iptables(8) — Linux manual page](https://man7.org/linux/man-pages/man8/iptables.8.html) * [Netfilter - Wikipedia](https://en.wikipedia.org/wiki/Netfilter) * [NAT with Linux and iptables](https://www.karlrupp.net/en/computer/nat_tutorial) * [\[译\] 深入理解 iptables 和 netfilter 架构](https://arthurchiao.art/blog/deep-dive-into-iptables-and-netfilter-arch-zh/)