Talk about the five tables and five chains of Iptables, have you learned it?

2023.04.05

Talk about the five tables and five chains of Iptables, have you learned it?

In the process of writing this article, the author found that the Chinese content almost said four tables and five links​. I don’t know if the author deliberately skipped the Security​ table, or the homogeneity caused by plagiarism is too serious. Although the Security table is not a common feature, we cannot ignore its existence.

overview

iptables is a command-line tool for configuring the Linux kernel firewall. It is based on the kernel's packet filtering framework netfilter and is mainly used to manage packet filtering and NAT rules.

picture

Image source: https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg

iptables interacts with the packet filtering hooks in the protocol stack to get the job done. These kernel hooks form the netfilter framework. Each packet (received or sent) entering the network system will trigger these hooks when passing through the protocol stack, and the program can process network traffic on some key paths by registering hook functions. iptables​-related kernel modules register processing functions at these hook points, so you can configure iptables rules to make network traffic comply with firewall rules.

Understanding iptables is the basis for learning the implementation of network functions in open source projects such as Docker and Kubernetes.

rule

Rules​ are the conditions predefined by the network administrator. The general definition is that if the packet header meets the current conditions, the packet is processed, otherwise the next judgment condition is executed. The rules​ are stored in the filter table of the kernel space, and these rules specify Source address, destination address, transport protocol (such as TCP, UDP, ICMP) and service type (such as HTTP, FTP, SMTP), etc. When the packet matches the rule, the kernel will perform specific actions.

The main job of configuring a firewall is to add, modify, and delete rules.

Behavior

action

describe

ACCEPT

receive packets

DROP

Discard the data packet. After this action, the detection process will be interrupted directly, and no other rules will be detected.

REDIRECT

Redirect the packet to another port (PNAT). After this action, continue to compare other rules. This function can be used to implement transparent proxy or to protect application server

SNAT

source address translation

DNAT

destination address translation

MASQUERADE

IP masquerading (NAT), for ADSL

LOG

logging

SEMARK

Add SEMARK mark for Intra-Domain Mandatory Access Control (MAC)

QUEUE

Pass the packet to user space

REJECT

Intercept the data packet and return the data packet to notify the other party

RETURN

The firewall stops executing subsequent rules in the current chain and returns to the calling chain to continue detection

5 strands

Chain​ is the path for data packets to propagate, and there can be N rules​ (N >= 0) in each chain​. When a data packet reaches a chain​, iptables​ will start to check from the first rule in the chain. If the data packet meets the conditions defined by the rule, the system will perform specific actions​, otherwise iptables​ will continue to check the next rule. If the packet does not match any of the rules in the chain, iptables will process the packet according to the predefined default policy of the chain.

name

describe

INPUT

Process received packets

OUTPUT

Process sent packets

FORWARD

Handle forwarded data packets, often used in ​网络隔离​​​​, ​,​NAT​​负载均衡​

PREROUTING

Modify the data packets that arrive and have not yet been forwarded, often used in ​DNAT​​​​, ​,​端口映射​​源地址转换​

POSTOUTING

Modify the data packet before sending, often used ​SNAT​for

5 tables

A table has N chains, and a chain has N rules.

Most scenarios only need to use Filter table and NAT table.

Raw table

The Raw table is used to process packets before connection tracking, NAT and routing table processing, and contains 2 built-in chains:

• PREROUTING

• OUTPUT

Because the priority is the highest, if the Raw table is used, after the Raw table is processed, the NAT table and ip_conntrack processing will be skipped, that is, connection tracking, NAT and routing table pre-processing will be avoided.

Filter table

Filter​ is the default table of iptables​, which is used to filter packets. If no table is defined, the Filter table will be used, including 3 built-in chains:

  • • INPUT
  • • OUTPUT
  • • FORWARD

In the Filter table, only the operations of accepting and discarding data packets are allowed, but the data packets cannot be changed.

NAT table

NAT is used to implement network address translation and contains 3 built-in chains:

• PREROUTING

• POST-ROUTING

• OUTPUT

Mangle table

Mangle is used to modify, mark or redirect specified packet headers, including 5 built-in chains:

• INPUT

• OUTPUT

• FORWARD

• PREROUTING

• POST-ROUTING

Security table

Security is used to mark packages with SELinux, thereby affecting the behavior of SELinux or other systems that can interpret SELinux security contexts for processing packages. These tags can be based on individual packets or connections.

Table and chain relationship diagram

picture

Table and chain relationship diagram

The detection priority of the table

Raw -> Mangle -> Nat -> Filter

picture

Image source: https://www.frozentux.net/iptables-tutorial/images/tables_traverse.jpg

Any data packet must pass through one of the five chains.

• When a data packet enters the network card, it first enters the PREROUTING chain, and the kernel judges whether it needs to be forwarded according to the destination IP of the data packet

• If the data packet enters the local machine, it will move down the graph and reach the INPUT chain. After the data packet reaches the INPUT chain, any process will receive it, and the program on the machine can send the data packet. The package will go through the OUTPUT​ chain, and then reach the output of the POSTROUTING chain

• If the packet is forwarded, and the kernel allows forwarding, the packet will go through the FORWARD​ chain and then reach the output of the POSTROUTING chain

Common commands

view class

# 查看所有防火墙规则
$ iptables --list

# 示例输出如下
Chain DOCKER (8 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.27.0.2           tcp dpt:10010
ACCEPT     tcp  --  anywhere             172.22.0.2           tcp dpt:http
ACCEPT     tcp  --  anywhere             172.29.0.4           tcp dpt:memcached
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:redis
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:nginx
ACCEPT     tcp  --  anywhere             172.17.0.4           tcp dpt:8080
ACCEPT     tcp  --  anywhere             172.17.0.5           tcp dpt:mysql
ACCEPT     tcp  --  anywhere             172.17.0.5           tcp dpt:http

# 查看 mangle 表规则
$ iptables -t mangle --list

# 查看 nat 表规则
$ iptables -t nat --list
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.

Field Name

describe

target

regular behavior

prot

protocol

opt

options

source

source IP address

destination

Destination IP address

Operation class

# 查看说明

$ iptables --help

# 查看命令
iptables -L:查看规则链

# 规则管理命令
iptables -A:在规则链的末尾加入新规则
iptables -D:删除某个规则
iptables -I:在规则链的头部加入新规则
iptables -R:替换规则链中的规则

# 链管理命令
iptables -F:清空规则链
iptables -Z:清空规则链中的数据包计算器和字节计数器
iptables -N:创建新的用户自定义规则链
iptables -P:设置规则链中的默认策略

# 通用匹配参数
-t
    对指定的表 table 进行操作
    如果不指定此选项,默认的是 filter 表

-p 协议
    指定规则的协议,如 tcp, udp, icmp 等,可以使用all来指定所有协议
    如果不指定 -p 参数,默认的是 all 值

-s 源地址
    指定数据包的源地址
    参数可以使IP地址、网络地址、主机名
    例如:-s 192.168.1.101 指定IP地址
    例如:-s 192.168.1.10/24 指定网络地址

-d 目的地址
    指定数据包的目的地址,规则和 -s 类似

-j 执行目标
    指定规则匹配时如何处理数据包
    可能的值是ACCEPT, DROP, QUEUE, RETURN 等

-i 输入接口
    指定要处理来自哪个接口的数据包,这些数据包将进入 INPUT, FORWARD, PREROUTE 链
    例如:-i eth0指定了要处理经由eth0进入的数据包
    如果不指定 -i参数,那么将处理进入所有接口的数据包
    如果指定 ! -i eth0,那么将处理所有经由eth0以外的接口进入的数据包
    如果指定 -i eth+,那么将处理所有经由eth开头的接口进入的数据包

-o 输出
    指定了数据包由哪个接口输出,这些数据包将进入 FORWARD, OUTPUT, POSTROUTING链
    如果不指定-o选项,那么所有接口都可以作为输出接口
    如果指定 ! -o eth0,那么将从eth0以外的接口输出
    如果指定 -i eth+,那么将仅从eth开头的接口输出
  
# 扩展参数
-sport 源端口
    针对 -p tcp 或者 -p udp,默认情况下,将匹配所有端口
    可以指定端口号或者端口名称、端口范围,例如 –sport 22, –sport ssh,–sport 22:100 
    从性能上讲,使用端口号更好, /etc/services 文件描述了映射关系

-dport 目的端口
    规则和 –sport 类似

-tcp-flags TCP 标志
    针对 -p tcp
    可以指定由逗号分隔的多个参数
    取值范围:SYN, ACK, FIN, RST, URG, PSH, ALL, NONE

-icmp-type ICMP 标志
    针对 -p icmp
    icmp-type 0 表示 Echo Reply
    icmp-type 8 表示 Echo
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62.
  • 63.
  • 64.
  • 65.
  • 66.
  • 67.
  • 68.
  • 69.
  • 70.
  • 71.
  • 72.

Command option input order

iptables -t 表名 <-A/I/D/R> 规则链名 [规则号] <-i/o 网卡名> -p 协议名 <-s 源IP/源子网> --sport 源端口 <-d 目标IP/目标子网> --dport 目标端口 -j 动作
  • 1.

example

The following commands are used with caution in a production environment.

View the added iptables rules

$ iptables -L -n -v

Chain INPUT (policy DROP 48106 packets, 2690K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 5075  589K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 191K   90M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
1499K  133M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
4364K 6351M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 6256  327K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3382K packets, 1819M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 5075  589K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.

Clear all current rules and counts

$ iptables -F  # 清空所有的防火墙规则
$ iptables -X  # 删除用户自定义的空链
$ iptables -Z  # 清空计数
  • 1.
  • 2.
  • 3.

set default rules

$ iptables -P INPUT DROP    # 配置默认的不让进
$ iptables -P FORWARD DROP  # 默认的不允许转发
$ iptables -P OUTPUT ACCEPT # 默认的可以出去
  • 1.
  • 2.
  • 3.

open designated ports

$ iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT               # 允许本地回环接口(即运行本机访问本机)
$ iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT    # 允许已建立的或相关连的通行
$ iptables -A OUTPUT -j ACCEPT                                        # 允许所有本机向外的访问
$ iptables -A INPUT -p tcp --dport 22 -j ACCEPT                       # 允许访问22端口
$ iptables -A INPUT -p tcp --dport 80 -j ACCEPT                       # 允许访问80端口
$ iptables -A INPUT -p tcp --dport 21 -j ACCEPT                       # 允许ftp服务的21端口
$ iptables -A INPUT -p tcp --dport 20 -j ACCEPT                       # 允许FTP服务的20端口
$ iptables -A INPUT -j reject                                         # 禁止其他未允许的规则访问
$ iptables -A FORWARD -j REJECT                                       # 禁止其他未允许的规则访问
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.

whitelist

$ iptables -A INPUT -p all -s 192.168.1.0/24 -j ACCEPT            # 允许机房内网机器可以访问
$ iptables -A INPUT -p all -s 192.168.140.0/24 -j ACCEPT          # 允许机房内网机器可以访问
$ iptables -A INPUT -p tcp -s 183.121.3.7 --dport 3380 -j ACCEPT  # 允许 183.121.3.7 访问本机的 3380 端口
  • 1.
  • 2.
  • 3.

blacklist

iptables -I INPUT -s 123.45.6.7 -j DROP       # 屏蔽单个 IP
iptables -I INPUT -s 123.0.0.0/8 -j DROP      # 屏蔽 IP 网段 从 123.0.0.1  到 123.255.255.254
iptables -I INPUT -s 124.45.0.0/16 -j DROP    # 屏蔽 IP 网段 从 123.45.0.1 到 123.45.255.254
iptables -I INPUT -s 123.45.6.0/24 -j DROP    # 屏蔽 IP 网段 从 123.45.6.1 到 123.45.6.254
  • 1.
  • 2.
  • 3.
  • 4.

Prevent SYN flood attacks

$ iptables -A INPUT -p tcp --syn -m limit --limit 5/second -j ACCEPT
  • 1.

summary

In the process of writing this article, the author found that the Chinese content almost said four tables and five links​. I don’t know if the author deliberately skipped the Security​ table, or the homogeneity caused by plagiarism is too serious. Although the Security table is not a common feature, we cannot ignore its existence.

Reference

  • • Traversing of tables and chains[1]
  • • iptables(8) - Linux man page[2]
  • • iptables[3]
  • • Detailed explanation of iptables[4]
  • • iptables command[5]
  • • In-depth understanding of iptables and netfilter architecture[6]
  • • iptables basic knowledge and command quick reference

quote link

[1]​ Traversing of tables and chains: ​​https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TRAVERSINGOFTABLES[2]​​​ iptables(8) - Linux man page: ​​https://linux.die.net/man/8/iptables​

[3]​ iptables: ​​https://wiki.archlinuxcn.org/wiki/Iptables​

[4]​ Detailed explanation of iptables: https://lixiangyun.gitbook.io/iptables_doc_zh_cn/

[5]​ iptables command: ​​https://wangchujiang.com/linux-command/c/iptables.html​

[6] Deep understanding of iptables and netfilter architecture: https://arthurchiao.art/blog/deep-dive-into-iptables-and-netfilter-arch-zh/