iptables 工作机制

iptables 介绍

iptables 和 ip6tables 用于在 Linux 内核中设置、管理和检查 IPv4 和 IPv6 数据包过滤规则的表（Tables）。每个表都包含了一些内建或者是用户定义的链（Chains）。每个链都是一个由规则（Rules）组成的列表，用于匹配一组的数据包。每条规则都指定了如何处理已匹配的数据包，这被称为目标（Target），例如可以将数据包跳转到同一个表中的用户定义的链中。

一图概览

                                 local process
----------^-----------------------------------------------------------v-----
          ^                                                           |
          |                                                           v
   +--------------+                                           +---------------+
   | Filter#input |                                           |  Raw#output   |
   +--------------+                                           +---------------+
          |                                                           |
   +--------------+                                           +---------------+
   |  SNAT#input  |                                           | Mangle#output |
   +--------------+                                           +---------------+
          |                                                           |
   +--------------+                                           +---------------+
   | Mangle#input |                                           |  NAT#output   |
   +--------------+                                           +---------------+
          ^                                                           |
          |                                                   +---------------+
          |                                                   | Filter#output |
          |                                                   +---------------+
          |                                                           |
          |        +----------------+      +----------------+         v
          +------->| Mangle#forward |----->| Filter#forward |+------->+
          ^        +----------------+      +----------------+         |
          |                                                           v
+-------------------+                                       +--------------------+
|  DNAT#prerouting  |                                       | Mangle#postrouting |
+-------------------+                                       +--------------------+
          |                                                           |
+-------------------+                                       +--------------------+
| Mangle#prerouting |                                       |  SNAT#postrouting  |
+-------------------+                                       +--------------------+
          |                                                           |
+-------------------+                                                 v
|  Raw#prerouting   |                                                 |
+-------------------+                                                 |
          ^                                                           |
          |                                                           v
----------^-----------------------------------------------------------v-----
                                    network

参考资料

最后更新于1年前

iptables 介绍

一图概览

                                 local process
----------^-----------------------------------------------------------v-----
          ^                                                           |
          |                                                           v
   +--------------+                                           +---------------+
   | Filter#input |                                           |  Raw#output   |
   +--------------+                                           +---------------+
          |                                                           |
   +--------------+                                           +---------------+
   |  SNAT#input  |                                           | Mangle#output |
   +--------------+                                           +---------------+
          |                                                           |
   +--------------+                                           +---------------+
   | Mangle#input |                                           |  NAT#output   |
   +--------------+                                           +---------------+
          ^                                                           |
          |                                                   +---------------+
          |                                                   | Filter#output |
          |                                                   +---------------+
          |                                                           |
          |        +----------------+      +----------------+         v
          +------->| Mangle#forward |----->| Filter#forward |+------->+
          ^        +----------------+      +----------------+         |
          |                                                           v
+-------------------+                                       +--------------------+
|  DNAT#prerouting  |                                       | Mangle#postrouting |
+-------------------+                                       +--------------------+
          |                                                           |
+-------------------+                                       +--------------------+
| Mangle#prerouting |                                       |  SNAT#postrouting  |
+-------------------+                                       +--------------------+
          |                                                           |
+-------------------+                                                 v
|  Raw#prerouting   |                                                 |
+-------------------+                                                 |
          ^                                                           |
          |                                                           v
----------^-----------------------------------------------------------v-----
                                    network