Netfilter Netfilter is a packet processing module in the Linux kernel that can provide packet filtering, forwarding, and address translation NAT functions. Iptables is a tool that can be used to add, modify, and delete packet processing rules in Netfilter. Netfilter is a wall between the network card and the kernel protocol stack and is a free software firewall. There are three main concepts in Netfilter: rules, tables, and chains, with increasing levels.
rule chain The chain can be regarded as multiple checkpoints between the network card and the kernel protocol stack. For messages of different types, they are processed by the checkpoints that cannot be passed, that is, matching the unreachable chain.
surface For ease of management, rules with the same function in a chain are organized into a table. iptables has defined four tables for us. The priority order of the tables (from high to low): raw -> mangle -> nat -> filter Table chain relationship A chain can have multiple tables, but it does not necessarily have all the tables. Data packets are processed based on chains, but in actual use, tables are used as operation entries to define rules. iptables Introduction to iptables The packet filtering function of Linux, namely the Linux firewall, consists of two components: netfilter and iptables. The netfilter component, also known as kernel space, is a part of the kernel that consists of packet filtering tables that contain the rule sets used by the kernel to control packet filtering processing. The iptables component is a tool, also called userspace, that makes it easy to insert, modify, and remove rules from packet filtering tables. Iptables Basics We know that iptables works according to rules. Rules are actually conditions predefined by network administrators. Rules are generally defined as "if the packet header meets such conditions, process the packet in this way." The rules are stored in the packet filter table in the kernel space. These rules specify the source address, destination address, transport protocol (such as TCP, UDP, ICMP) and service type (such as HTTP, FTP and SMTP). When data packets match the rules, iptables processes them according to the methods defined by the rules, such as accept, reject, and drop. The main task of configuring a firewall is to add, modify, and delete these rules. When the client accesses the web service of the server, the client sends a message to the network card, and the TCP/IP protocol stack is part of the kernel. Therefore, the client's information will be transmitted to the web service in the user space through the kernel's TCP protocol. At this time, the target destination of the client message is the socket (IP: Port) monitored by the web service. When the web service needs to respond to the client's request, the target destination of the response message sent by the web service is the client. At this time, the IP and port monitored by the web service become the origin. We have said that netfilter is the real firewall. It is part of the kernel. Therefore, if we want the firewall to achieve the purpose of "fire prevention", we need to set up levels in the kernel. All inbound and outbound messages must pass through these levels. After inspection, only those that meet the release conditions can be released, and those that meet the blocking conditions need to be blocked. As a result, input levels and output levels appear, and these levels are not called "levels" in iptables, but "chains". This is the end of this article about the detailed explanation of Linux netfilter/iptables knowledge points. For more related Linux - netfilter/iptables content, please search 123WORDPRESS.COM's previous articles or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future! |
<<: How to use the vue timeline component
>>: In-depth analysis of MySQL deadlock issues
origin Recently, I am working on requirement A, i...
Table of contents 01 What is the essence of a con...
The specific steps of installing mysql5.7.18 unde...
This article is translated from the blog Usability...
Table of contents 1. querySelector queries a sing...
1. Command Introduction nl (Number of Lines) adds...
Preface This chapter uses basic Linux functions a...
1. Brief introduction of the event An event is a ...
Preface NFS (Network File System) means network f...
1. MySQL User Management [Example 1.1] Log in to ...
1. Review The Buffer Pool will be initialized aft...
View the installation information of mysql: #ps -...
1. Division of labor and process <br />At T...
Table of contents In vue2 In vue3 Notes on setup ...
The smallest scheduling unit in k8s --- pod In th...