iptables 介绍

iptables 和 ip6tables 用于在 Linux 内核中设置、管理和检查 IPv4 和 IPv6 数据包过滤规则的表（Tables）。每个表都包含了一些内建或者是用户定义的链（Chains）。每个链都是一个由规则（Rules）组成的列表，用于匹配一组的数据包。每条规则都指定了如何处理已匹配的数据包，这被称为目标（Target），例如可以将数据包跳转到同一个表中的用户定义的链中。

表 Tables	内建的链 built-in Chains	作用
Filter（未指定 `-t` 选项时的默认值）	INPUT	for packets destined to local sockets
	FORWARD	for packets being routed through the box
	OUTPUT	for locally-generated packets
NAT	PREROUTING	for altering packets as soon as they come in
	OUTPUT	for altering locally-generated packets before routing
	POSTROUTING	for altering packets as they are about to go out
Mangle	PREROUTING (kernel 2.4.17+)	for altering incoming packets before routing
	OUTPUT (kernel 2.4.17+)	for altering locally-generated packets before routing
	INPUT (kernel 2.4.18+)	for packets coming into the box itself
	FORWARD (kernel 2.4.18+)	for altering packets being routed through the box
	POSTROUTING (kernel 2.4.18+)	for altering packets as they are about to go out
Raw	PREROUTING	for packets arriving via any network interface
	OUTPUT	for packets generated by local processes

一图概览

                                 local process
----------^-----------------------------------------------------------v-----
          ^                                                           |
          |                                                           v
   +--------------+                                           +---------------+
   | Filter#input |                                           |  Raw#output   |
   +--------------+                                           +---------------+
          |                                                           |
   +--------------+                                           +---------------+
   |  SNAT#input  |                                           | Mangle#output |
   +--------------+                                           +---------------+
          |                                                           |
   +--------------+                                           +---------------+
   | Mangle#input |                                           |  NAT#output   |
   +--------------+                                           +---------------+
          ^                                                           |
          |                                                   +---------------+
          |                                                   | Filter#output |
          |                                                   +---------------+
          |                                                           |
          |        +----------------+      +----------------+         v
          +------->| Mangle#forward |----->| Filter#forward |+------->+
          ^        +----------------+      +----------------+         |
          |                                                           v
+-------------------+                                       +--------------------+
|  DNAT#prerouting  |                                       | Mangle#postrouting |
+-------------------+                                       +--------------------+
          |                                                           |
+-------------------+                                       +--------------------+
| Mangle#prerouting |                                       |  SNAT#postrouting  |
+-------------------+                                       +--------------------+
          |                                                           |
+-------------------+                                                 v
|  Raw#prerouting   |                                                 |
+-------------------+                                                 |
          ^                                                           |
          |                                                           v
----------^-----------------------------------------------------------v-----
                                    network

技术笔记

iptables 工作机制

iptables 介绍

一图概览

参考资料