iptables 工作机制

iptables 介绍

iptables 和 ip6tables 用于在 Linux 内核中设置、管理和检查 IPv4 和 IPv6 数据包过滤规则的表（Tables）。每个表都包含了一些内建或者是用户定义的链（Chains）。每个链都是一个由规则（Rules）组成的列表，用于匹配一组的数据包。每条规则都指定了如何处理已匹配的数据包，这被称为目标（Target），例如可以将数据包跳转到同一个表中的用户定义的链中。

表 Tables

内建的链 built-in Chains

作用

Filter（未指定 -t 选项时的默认值）

INPUT

for packets destined to local sockets

FORWARD

for packets being routed through the box

OUTPUT

for locally-generated packets

NAT

PREROUTING

for altering packets as soon as they come in

OUTPUT

for altering locally-generated packets before routing

POSTROUTING

for altering packets as they are about to go out

Mangle

PREROUTING (kernel 2.4.17+)

for altering incoming packets before routing

OUTPUT (kernel 2.4.17+)

for altering locally-generated packets before routing

INPUT (kernel 2.4.18+)

for packets coming into the box itself

FORWARD (kernel 2.4.18+)

for altering packets being routed through the box

POSTROUTING (kernel 2.4.18+)

for altering packets as they are about to go out

Raw

PREROUTING

for packets arriving via any network interface

OUTPUT

for packets generated by local processes

一图概览

                                 local process
----------^-----------------------------------------------------------v-----
          ^                                                           |
          |                                                           v
   +--------------+                                           +---------------+
   | Filter#input |                                           |  Raw#output   |
   +--------------+                                           +---------------+
          |                                                           |
   +--------------+                                           +---------------+
   |  SNAT#input  |                                           | Mangle#output |
   +--------------+                                           +---------------+
          |                                                           |
   +--------------+                                           +---------------+
   | Mangle#input |                                           |  NAT#output   |
   +--------------+                                           +---------------+
          ^                                                           |
          |                                                   +---------------+
          |                                                   | Filter#output |
          |                                                   +---------------+
          |                                                           |
          |        +----------------+      +----------------+         v
          +------->| Mangle#forward |----->| Filter#forward |+------->+
          ^        +----------------+      +----------------+         |
          |                                                           v
+-------------------+                                       +--------------------+
|  DNAT#prerouting  |                                       | Mangle#postrouting |
+-------------------+                                       +--------------------+
          |                                                           |
+-------------------+                                       +--------------------+
| Mangle#prerouting |                                       |  SNAT#postrouting  |
+-------------------+                                       +--------------------+
          |                                                           |
+-------------------+                                                 v
|  Raw#prerouting   |                                                 |
+-------------------+                                                 |
          ^                                                           |
          |                                                           v
----------^-----------------------------------------------------------v-----
                                    network

参考资料

最后更新于1年前

iptables 介绍

表 Tables

内建的链 built-in Chains

作用

Filter（未指定 -t 选项时的默认值）

INPUT

for packets destined to local sockets

FORWARD

for packets being routed through the box

OUTPUT

for locally-generated packets

NAT

PREROUTING

for altering packets as soon as they come in

OUTPUT

for altering locally-generated packets before routing

POSTROUTING

for altering packets as they are about to go out

Mangle

PREROUTING (kernel 2.4.17+)

for altering incoming packets before routing

OUTPUT (kernel 2.4.17+)

for altering locally-generated packets before routing

INPUT (kernel 2.4.18+)

for packets coming into the box itself

FORWARD (kernel 2.4.18+)

for altering packets being routed through the box

POSTROUTING (kernel 2.4.18+)

for altering packets as they are about to go out

Raw

PREROUTING

for packets arriving via any network interface

OUTPUT

for packets generated by local processes

一图概览

                                 local process
----------^-----------------------------------------------------------v-----
          ^                                                           |
          |                                                           v
   +--------------+                                           +---------------+
   | Filter#input |                                           |  Raw#output   |
   +--------------+                                           +---------------+
          |                                                           |
   +--------------+                                           +---------------+
   |  SNAT#input  |                                           | Mangle#output |
   +--------------+                                           +---------------+
          |                                                           |
   +--------------+                                           +---------------+
   | Mangle#input |                                           |  NAT#output   |
   +--------------+                                           +---------------+
          ^                                                           |
          |                                                   +---------------+
          |                                                   | Filter#output |
          |                                                   +---------------+
          |                                                           |
          |        +----------------+      +----------------+         v
          +------->| Mangle#forward |----->| Filter#forward |+------->+
          ^        +----------------+      +----------------+         |
          |                                                           v
+-------------------+                                       +--------------------+
|  DNAT#prerouting  |                                       | Mangle#postrouting |
+-------------------+                                       +--------------------+
          |                                                           |
+-------------------+                                       +--------------------+
| Mangle#prerouting |                                       |  SNAT#postrouting  |
+-------------------+                                       +--------------------+
          |                                                           |
+-------------------+                                                 v
|  Raw#prerouting   |                                                 |
+-------------------+                                                 |
          ^                                                           |
          |                                                           v
----------^-----------------------------------------------------------v-----
                                    network