# iptables 工作机制 ## iptables 介绍 iptables 和 ip6tables 用于在 Linux 内核中设置、管理和检查 IPv4 和 IPv6 数据包过滤规则的 **表**(Tables)。每个表都包含了一些内建或者是用户定义的 **链**(Chains)。每个链都是一个由 **规则**(Rules)组成的列表,用于匹配一组的数据包。每条规则都指定了如何处理已匹配的数据包,这被称为 **目标**(Target),例如可以将数据包跳转到同一个表中的用户定义的链中。 | 表 **Tables** | 内建的链 **built-in Chains** | 作用 | | ------------------------ | ---------------------------- | ----------------------------------------------------- | | Filter(未指定 `-t` 选项时的默认值) | INPUT | for packets destined to local sockets | | | FORWARD | for packets being routed through the box | | | OUTPUT | for locally-generated packets | | NAT | PREROUTING | for altering packets as soon as they come in | | | OUTPUT | for altering locally-generated packets before routing | | | POSTROUTING | for altering packets as they are about to go out | | Mangle | PREROUTING (kernel 2.4.17+) | for altering incoming packets before routing | | | OUTPUT (kernel 2.4.17+) | for altering locally-generated packets before routing | | | INPUT (kernel 2.4.18+) | for packets coming into the box itself | | | FORWARD (kernel 2.4.18+) | for altering packets being routed through the box | | | POSTROUTING (kernel 2.4.18+) | for altering packets as they are about to go out | | Raw | PREROUTING | for packets arriving via any network interface | | | OUTPUT | for packets generated by local processes | ## 一图概览 ``` local process ----------^-----------------------------------------------------------v----- ^ | | v +--------------+ +---------------+ | Filter#input | | Raw#output | +--------------+ +---------------+ | | +--------------+ +---------------+ | SNAT#input | | Mangle#output | +--------------+ +---------------+ | | +--------------+ +---------------+ | Mangle#input | | NAT#output | +--------------+ +---------------+ ^ | | +---------------+ | | Filter#output | | +---------------+ | | | +----------------+ +----------------+ v +------->| Mangle#forward |----->| Filter#forward |+------->+ ^ +----------------+ +----------------+ | | v +-------------------+ +--------------------+ | DNAT#prerouting | | Mangle#postrouting | +-------------------+ +--------------------+ | | +-------------------+ +--------------------+ | Mangle#prerouting | | SNAT#postrouting | +-------------------+ +--------------------+ | | +-------------------+ v | Raw#prerouting | | +-------------------+ | ^ | | v ----------^-----------------------------------------------------------v----- network ``` ## 参考资料 * [iptables(8) — Linux manual page](https://man7.org/linux/man-pages/man8/iptables.8.html) * [Netfilter - Wikipedia](https://en.wikipedia.org/wiki/Netfilter) * [NAT with Linux and iptables](https://www.karlrupp.net/en/computer/nat_tutorial) * [\[译\] 深入理解 iptables 和 netfilter 架构](https://arthurchiao.art/blog/deep-dive-into-iptables-and-netfilter-arch-zh/) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook.fantasticmao.cn/tech/c-and-unix/unix-like/iptables-gong-zuo-ji-zhi.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.