iptables_表和鏈（Traversing of tables and chains）

5 chains (PREROUTING/INPUT/FORWARD/OUTPUT/POSTROUTING) 3 tables (mangle/filter/nat | raw/security)  ?

 

 

  要澄清此影像，請考慮這一點，如果我們將資料包放入第一個路由決策中，該決策不是面向本地計算機本身，它將通過 FORWARD 鏈路由，另一方面，如果資料包發送到本地計算機正在偵聽的 IP 地址，我們將通過 INPUT 鏈將資料包發送到本地計算機， 同樣值得注意的是，資料包可能面向本地計算機，但目標地址可以通過做 NAT 在 PREROUTING 鏈中更改，由于此發生在第一個路由決策之前，因此在此更改后將查看資料包，因此，在路由決策完成之前，可能會更改路由，請注意，所有資料包都將在此映像中通過一潭訓另一條路徑，如果您將資料包轉回來自的同一網路，它仍將通過鏈的其余部分傳輸，直到它回到網路上， Table 6-1. Destination local host (our own machine)

Step	Table	Chain	Comment
1			On the wire (e.g., Internet)
2			Comes in on the interface (e.g., eth0)
3	raw	PREROUTING	This chain is used to handle packets before the connection tracking takes place. It can be used to set a specific connection not to be handled by the connection tracking code for example.
4			This is when the connection tracking code takes place as discussed in the The state machine chapter.
5	mangle	PREROUTING	This chain is normally used for mangling packets, i.e., changing TOS and so on.
6	nat	PREROUTING	This chain is used for DNAT mainly. Avoid filtering in this chain since it will be bypassed in certain cases.
7			Routing decision, i.e., is the packet destined for our local host or to be forwarded and where.
8	mangle	INPUT	At this point, the mangle INPUT chain is hit. We use this chain to mangle packets, after they have been routed, but before they are actually sent to the process on the machine.（已經路由了，但還沒發送到主機，可以這個時候mangle）
9	filter	INPUT	This is where we do filtering for all incoming traffic destined for our local host. Note that all incoming packets destined for this host pass through this chain, no matter what interface or in which direction they came from.
10			Local process or application (i.e., server or client program).

Note that this time the packet was passed through the INPUT chain instead of the FORWARD chain. Quite logical. Most probably the only thing that's really logical about the traversing of tables and chains in your eyes in the beginning, but if you continue to think about it, you'll find it will get clearer in time.   able 6-2. Source local host (our own machine)

Step	Table	Chain	Comment
1			Local process/application (i.e., server/client program)
2			Routing decision. What source address to use, what outgoing interface to use, and other necessary information that needs to be gathered.
3	raw	OUTPUT	This is where you do work before the connection tracking has taken place for locally generated packets. You can mark connections so that they will not be tracked for example.
4			This is where the connection tracking takes place for locally generated packets, for example state changes et cetera. This is discussed in more detail in the The state machine chapter.
5	mangle	OUTPUT	This is where we mangle packets, it is suggested that you do not filter in this chain since it can have side effects.
6	nat	OUTPUT	This chain can be used to NAT outgoing packets from the firewall itself. （防火墻自身nat）
7			Routing decision, since the previous mangle and nat changes may have changed how the packet should be routed.
8	filter	OUTPUT	This is where we filter packets going out from the local host.
9	mangle	POSTROUTING	The POSTROUTING chain in the mangle table is mainly used when we want to do mangling on packets before they leave our host, but after the actual routing decisions. This chain will be hit by both packets just traversing the firewall, as well as packets created by the firewall itself.（？沒太懂）
10	nat	POSTROUTING	This is where we do SNAT as described earlier. It is suggested that you don't do filtering here since it can have side effects, and certain packets might slip through even though you set a default policy of DROP.
11			Goes out on some interface (e.g., eth0)
12			On the wire (e.g., Internet)

In this example, we're assuming that the packet is destined for another host on another network. The packet goes through the different steps in the following fashion: Table 6-3. Forwarded packets

Step	Table	Chain	Comment
1			On the wire (i.e., Internet)
2			Comes in on the interface (i.e., eth0)
3	raw	PREROUTING	Here you can set a connection to not be handled by the connection tracking system.
4			This is where the non-locally generated connection tracking takes place, and is also discussed more in detail in the The state machine chapter.
5	mangle	PREROUTING	This chain is normally used for mangling packets, i.e., changing TOS and so on.
6	nat	PREROUTING	This chain is used for DNAT mainly. SNAT is done further on. Avoid filtering in this chain since it will be bypassed in certain cases.
7			Routing decision, i.e., is the packet destined for our local host or to be forwarded and where.
8	mangle	FORWARD	The packet is then sent on to the FORWARD chain of the mangle table. This can be used for very specific needs, where we want to mangle the packets after the initial routing decision, but before the last routing decision made just before the packet is sent out.
9	filter	FORWARD	The packet gets routed onto the FORWARD chain. Only forwarded packets go through here, and here we do all the filtering. Note that all traffic that's forwarded goes through here (not only in one direction), so you need to think about it when writing your rule-set. （所有轉發包都經過這里）
10	mangle	POSTROUTING	This chain is used for specific types of packet mangling that we wish to take place after all kinds of routing decisions have been done, but still on this machine.
11	nat	POSTROUTING	This chain should first and foremost be used for SNAT. Avoid doing filtering here, since certain packets might pass this chain without ever hitting it. This is also where Masquerading is done.
12			Goes out on the outgoing interface (i.e., eth1).
13			Out on the wire again (i.e., LAN).

As you can see, there are quite a lot of steps to pass through. The packet can be stopped at any of the iptables chains, or anywhere else if it is malformed; however, we are mainly interested in the iptables aspect of this lot. Do note that there are no specific chains or tables for different interfaces or anything like that. FORWARD is always passed by all packets that are forwarded over this firewall/router.

Do not use the INPUT chain to filter on in the previous scenario! INPUT is meant solely for packets to our local host that do not get routed to any other destination.

        Mangle table The following targets are only valid in the mangle table. They can not be used outside the mangle table.

• TOS
• TTL
• MARK
• SECMARK
• CONNSECMARK

  Nat table This table should only be used for NAT (Network Address Translation) on different packets. In other words, it should only be used to translate the packet's source field or destination field. Note that, as we have said before, only the first packet in a stream will hit this table. After this, the rest of the packets will automatically have the same action taken on them as the first packet. The actual targets that do these kind of things are:

• DNAT
• SNAT
• MASQUERADE
• REDIRECT

    Filter table The filter table is mainly used for filtering packets. We can match packets and filter them in whatever way we want. This is the place that we actually take action against packets and look at what they contain and DROP or /ACCEPT them, depending on their content. Of course we may also do prior filtering; however, this particular table is the place for which filtering was designed. Almost all targets are usable in this table. We will be more prolific about the filter table here; however you now know that this table is the right place to do your main filtering.   Raw table The raw table is mainly only used for one thing, and that is to set a mark on packets that they should not be handled by the connection tracking system. This is done by using the NOTRACK target on the packet User specified chains       補充 -- Mangle簡介 Mangle是一個資料包分析，但是很多RouterOS都喜歡稱其為標記，但實際上標記只是mangle的一部分功能而已， Mangle的翻譯就是壓碎，撕爛的意思，在路由器里面就是拆開包來研究，然后重新組合，我們就是通過mangle規則來分析資料包里面含有的關鍵資訊，然后進行重新歸類，標記，或者修改其中部分的引數，在ROS里面Mangle主要分為以下三類，以及對應的動作如下： 1.分析關注，對匹配規則的資料包進行分析關注，不對包進行其他操作 2.分析標記，對匹配規則的資料包進行分析標記，加上標記， 3.分析調整，對匹配的資料包進行拆包修改，修改資料并且重新封裝， Mangle是ROS里面動作（Action）最多的一個表，也是五鏈最全的，貫穿整個資料流程，見下圖橙色部分： Mangle規則的配置，就需要理解OSI七層模型和常用的資料協議包的組成原理，這樣我們才能在配置Mangle規則的時候能最大化的保證資料傳輸效率，下一章我們以TCP/UDP協議來深入探討一下網路傳輸中的一些常見問題，   參考： https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#IPFILTERING https://www.veewe.com/7-%e9%98%b2%e7%81%ab%e5%a2%99mangle%e7%ae%80%e4%bb%8b.html https://blog.csdn.net/liwei0526vip/article/details/103104483?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522160398312519724842902387%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fall.%2522%257D&request_id=160398312519724842902387&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~all~first_rank_v2~rank_v28-1-103104483.pc_search_result_cache&utm_term=lvs&spm=1018.2118.3001.4449  

轉載請註明出處，本文鏈接：https://www.uj5u.com/caozuo/195882.html

標籤：其他

上一篇：云計算管理平臺之OpenStack計算服務nova

下一篇：K8S 使用 SideCar 模式部署 Filebeat 收集容器日志