iptables

Posted on | Post modified: | In

iptables chain

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
    +---------------------------------------------------------+
    |                   Network Card                          |
    +---------------------------------------------------------+
      |                                                    ^
      |                                                    |
      v                                                    |
 +----------+          is?      no    +-------+        +-----------+
 |prerouting| ----> localhost ------> |forward| ---->  |postrouting|
 +----------+          |              +-------+        +-----------+ 
                       | yes                                 ^
                       |                                     |
                       v                                     |
                    +---------+                        +-----------+
                    |  input  |                        |   output  |
                    +---------+                        +-----------+
                         |                                   ^
                         |                                   |
                         |                                   |
                         v                                   |
    +----------------------------------------------------------+
    |                        user                              |
    +----------------------------------------------------------+

out -> localhost: prerouting -> input
forward:          prerouting -> forward    -> postrouting
localhost -> out: output     -> postrouting

iptables table:

  • filter:
  • nat:
  • magle:
  • raw:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
table <-> chain  
raw: PREROUTING, OUTPUT  
mangle: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING  
nat: PREROUTING, OUTPUT, POSTROUTING, INPUT  
filter: INPUT, FORWARD, OUTPUT

raw –> mangle –> nat –> filter  

chain <-> table
PREROUTING: raw, mangle, nat
INPUT: mangle, filter, nat
FORWARD: mangle, filter
OUTPUT: raw, mangle, nat, filter
POSTROUTING: mangle, nat

query

1
iptables -t <table> -nvL <chain>

iptables