Linux 系统 Iptables 规则执行顺序详细讲解
预备知识(转): iptable 有三种队列(表)规则,mangle queue, lter queue,
nat queue。
1。The rst is the mangle table which is responsible for the alteration of
quality of service bits in the TCP header.
2。The second table is the lter queue which is responsible for packet
ltering.
* Forward chain: Filters packets to servers protected by the rewall.
* Input chain: Filters packets destined for the rewall.
* Output chain: Filters packets originating from the rewall.
3。The third table is the nat queue which is responsible for network
address translation. It has two built-in chains; these are:
* Pre-routing chain: NATs packets when the destination address of the
packet needs to be changed.
* Post-routing chain: NATs packets when the source address of the packet
needs to be changed
个人总结:
iptables 执行规则时,是从从规则表中从上至下顺序执行的,如果没遇到匹配的规则,
就一条一条往下执行,如果遇到匹配的规则后,那么就执行本规则,执行后根据本规则的
动作(accept, reject, log 等),决定下一步执行的情况,后续执行一般有三种情况。
1。一种是继续执行当前规则队列内的下一条规则。比如执行过 Filter 队列内的 LOG
后,还会执行 Filter 队列内的下一条规则。
2。一种是中止当前规则队列的执行,转到下一条规则队列。比如从执行过 accept
后就中断 Filter 队列内其它规则,跳到 nat 队列规则去执行
3。一种是中止所有规则队列的执行。
iptables 是采用规则堆栈的方式来进行过滤,当一个封包进入网卡,会先检查
Prerouting,然后检查目的 IP 判断是否需要转送出去,接着就会跳到 INPUT 或
Forward 进行过滤,如果封包需转送处理则检查 Postrouting,如果是来自本机封包,则
检查 OUTPUT 以及 Postrouting。过程中如果符合某条规则将会进行处理,处理动作除
评论0