Detailed explanation of Linux netfilter/iptables knowledge points

Netfilter

Netfilter is a packet processing module in the Linux kernel that can provide packet filtering, forwarding, and address translation NAT functions. Iptables is a tool that can be used to add, modify, and delete packet processing rules in Netfilter.

Netfilter is a wall between the network card and the kernel protocol stack and is a free software firewall.

There are three main concepts in Netfilter: rules, tables, and chains, with increasing levels.

• A rule is a description of how to process a specific message, including matching fields and actions.
  
• A chain is a collection of rules.
  
• A table is a collection of rules with the same function in a chain.
  

rule

chain

The chain can be regarded as multiple checkpoints between the network card and the kernel protocol stack. For messages of different types, they are processed by the checkpoints that cannot be passed, that is, matching the unreachable chain.

• Message sent from the network card to the kernel protocol stack: PREROUTING -> INPUT
  
• Messages from the network card that cannot be sent to the kernel protocol stack: PREROUTING -> FORWARD -> POSTROUTING
  
• Messages sent from the kernel protocol stack to the network card: OUTPUT -> POSTROUTING
  

surface

For ease of management, rules with the same function in a chain are organized into a table. iptables has defined four tables for us.

The priority order of the tables (from high to low): raw -> mangle -> nat -> filter

Table chain relationship

A chain can have multiple tables, but it does not necessarily have all the tables.

Data packets are processed based on chains, but in actual use, tables are used as operation entries to define rules.

iptables

Introduction to iptables

The packet filtering function of Linux, namely the Linux firewall, consists of two components: netfilter and iptables.

The netfilter component, also known as kernel space, is a part of the kernel that consists of packet filtering tables that contain the rule sets used by the kernel to control packet filtering processing.

The iptables component is a tool, also called userspace, that makes it easy to insert, modify, and remove rules from packet filtering tables.

Iptables Basics

We know that iptables works according to rules. Rules are actually conditions predefined by network administrators. Rules are generally defined as "if the packet header meets such conditions, process the packet in this way." The rules are stored in the packet filter table in the kernel space. These rules specify the source address, destination address, transport protocol (such as TCP, UDP, ICMP) and service type (such as HTTP, FTP and SMTP). When data packets match the rules, iptables processes them according to the methods defined by the rules, such as accept, reject, and drop. The main task of configuring a firewall is to add, modify, and delete these rules.

When the client accesses the web service of the server, the client sends a message to the network card, and the TCP/IP protocol stack is part of the kernel. Therefore, the client's information will be transmitted to the web service in the user space through the kernel's TCP protocol. At this time, the target destination of the client message is the socket (IP: Port) monitored by the web service. When the web service needs to respond to the client's request, the target destination of the response message sent by the web service is the client. At this time, the IP and port monitored by the web service become the origin. We have said that netfilter is the real firewall. It is part of the kernel. Therefore, if we want the firewall to achieve the purpose of "fire prevention", we need to set up levels in the kernel. All inbound and outbound messages must pass through these levels. After inspection, only those that meet the release conditions can be released, and those that meet the blocking conditions need to be blocked. As a result, input levels and output levels appear, and these levels are not called "levels" in iptables, but "chains".

This is the end of this article about the detailed explanation of Linux netfilter/iptables knowledge points. For more related Linux - netfilter/iptables content, please search 123WORDPRESS.COM's previous articles or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future!