`
luliangok
  • 浏览: 780887 次
文章分类
社区版块
存档分类
最新评论

学习netfilter/iptables的使用

 
阅读更多
学习netfilter/iptables的使用

层次结构:
tables
chains (build-in / user-defined)
rules

规则指定了包和目标(target)。
目标就是对匹配的包的动作。
目标可以是同一表内的自定义链(user-defined chain),
或者是ACCEPT, DROP, QUEUE, 或RETURN。

未匹配的包进行链中下一规则的检查;
而匹配的包的目标决定了下一条要检查的规则。

RETURN表示返回到前一链的下一条规则,即从该链的检查中返回。
如果一条内建链检查完毕,链的策略目标(policy)决定包的去向。

有三个表:filter, nat, mangle.

filter: 缺省表。内建链有
INPUT (for packets coming into the box itself),
FORWARD (for packets being routed through the box), and
OUTPUT (for locally-generated packets).
nat:新建连接时检查。三个内建链
PREROUTING (for altering packets as soon as they come in),
OUTPUT (for altering locally-generated packets before routing),
POSTROUTING (for altering packets as they are about to go out).
mangle:用来更改特殊的包。内建链
PREROUTING (for altering incoming packets before routing)
OUTPUT (for altering locally-generated packets before routing),
INPUT (for packets coming into the box itself),
FORWARD (for altering packets being routed through the box),
POSTROUTING (for altering packets as they are about to go out).

表的名字表示对包的处理动作,链的名字表示包所处的位置。
如到本机的包经过:PREROUTING, INPUT
本机向外发包:OUTPUT, POSTROUTE
转发的包:PREROUTING, FORWARD, POSTROUTE

其实将所有动作集中到一张表中也是可以的。
分享到:
| 心有灵犀笑一笑
评论
发表评论

您还没有登录,请您登录后再发表评论

相关推荐

Magicbox
Global site tag (gtag.js) - Google Analytics