Linux防火墙—netfilter
- netfilter的5个表
- filter表用于过滤包,最常用的表,有INPUT、FORWARD、OUTPUT三个链
- nat表用于网络地址转换,有PREROUTING、POSTROUTING三个链
- managle表用于给数据包做标记,几乎用不到
- raw表可以实现不追踪某些数据包
- security表在centos6中并没有,用于强制访问控制(MAC)的网络规则
- 参考文章
netfilter的五个表
- 在centos中只有四个表,并没有security表
-
[root@hf-01 ~]# man iptables
查看五个表
filter:
This is the default table (if no -t option is passed). It contains
the built-in chains INPUT (for packets destined to local sockets),
FORWARD (for packets being routed through the box), and OUTPUT (for
locally-generated packets).
nat:
This table is consulted when a packet that creates a new connection
is encountered. It consists of three built-ins: PREROUTING (for
altering packets as soon as they come in), OUTPUT (for altering
locally-generated packets before routing), and POSTROUTING (for
altering packets as they are about to go out). IPv6 NAT support is
available since kernel 3.7.
mangle:
This table is used for specialized packet alteration. Until kernel
2.4.17 it had two built-in chains: PREROUTING (for altering incom‐
ing packets before routing) and OUTPUT (for altering locally-gener‐
ated packets before routing). Since kernel 2.4.18, three other
built-in chains are also supported: INPUT (for packets coming into
the box itself), FORWARD (for altering packets being routed through
the box), and POSTROUTING (for altering packets as they are about
to go out).
raw:
This table is used mainly for configuring exemptions from connec‐
tion tracking in combination with the NOTRACK target. It registers
at the netfilter hooks with higher priority and is thus called
before ip_conntrack, or any other IP tables. It provides the fol‐
lowing built-in chains: PREROUTING (for packets arriving via any
network interface) OUTPUT (for packets generated by local pro‐
cesses)
security:
This table is used for Mandatory Access Control (MAC) networking
rules, such as those enabled by the SECMARK and CONNSECMARK tar‐
gets. Mandatory Access Control is implemented by Linux Security
Modules such as SELinux. The security table is called after the
filter table, allowing any Discretionary Access Control (DAC) rules
in the filter table to take effect before MAC rules. This table
provides the following built-in chains: INPUT (for packets coming
into the box itself), OUTPUT (for altering locally-generated pack‐
ets before routing), and FORWARD (for altering packets being routed
through the box).
- filter表,就是默认的一个表,包含了三个内置的链:INPUT、FORWARD、OUTPUT
- INPUT链,表示数据进来的包进来要经过的一个链,进入到本机
- 比如,进入到本机后,将80端口进来的数据包,访问80端口的数据包检查下它的原IP是什么,发现可疑的IP需要禁掉
- FORWARD链,这个数据包到了机器,并不会进入内核里,因为这个这数据包不是给你处理的,而是给另外一台机器处理的,所以这时候需要判断下你的目标地址是否为本机,如果不是本机,则需要经过FORWARD这个链
- 在经过 FORWARD链的时候,也会做一些操作,把目标地址做一些更改,或者做一个转发
- OUTPUT链,是在本机产生的一些包,在出去之前做的一些操作
- 比如,这个包是发给某一个IP的,这个IP我要禁掉,不让这个包过去(已加入到黑名单),只要是到那个IP的,都给禁掉。
- nat表,也有三个链PREROUTING 、OUTPUT、POSTROUTING
- PREROUTING链,这个链用来更改这个数据包——>在进来的那一刻就去更改
- OUTPUT链,它和上面filter表中的OUTPUT链是一样的
- POSTROUTING链,这个链也是更改数据包——>在出去的那一刻更改
- nat表,使用案列
- mangle表和raw表和security表几乎用不到
参考文章
- 参考文章
- iptables传输数据包的过程
- ① 当一个数据包进入网卡时,它首先进入PREROUTING链,内核根据数据包目的IP判断是否需要转送出去。
- ② 如果数据包就是进入本机的,它就会沿着图向下移动,到达INPUT链。数据包到了INPUT链后,任何进程都会收到它。本机上运行的程序可以发送数据包,这些数据包会经过OUTPUT链,然后到达POSTROUTING链输出。
- ③ 如果数据包是要转发出去的,且内核允许转发,数据包就会如图所示向右移动,经过FORWARD链,然后到达POSTROUTING链输出。
- 如果是本机的,则会经过PREROUTING链--->INPUT链--->OUTPUT链--->POSTROUTING链
- 如果不是本机的,则会经过PREROUTING链--->FORWARD链--->POSTROUTING链
本文详细介绍了Linux防火墙netfilter的五个主要表:filter、nat、mangle、raw和security的功能及应用场景。filter表用于包过滤;nat表实现网络地址转换;mangle表支持包修改;raw表配置连接追踪豁免;security表用于强制访问控制。
扫一扫
774
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
