iptables_表和链(Traversing of tables and chains)

  • A+
所属分类:linux技术
摘要

  

5 chains (PREROUTING/INPUT/FORWARD/OUTPUT/POSTROUTING)
3 tables (mangle/filter/nat | raw/security)
 iptables_表和链(Traversing of tables and chains)

 

 

 
要澄清此图像,请考虑这一点。如果我们将数据包放入第一个路由决策中,该决策不是面向本地计算机本身,它将通过 FORWARD 链路由。另一方面,如果数据包发送到本地计算机正在侦听的 IP 地址,我们将通过 INPUT 链将数据包发送到本地计算机。
同样值得注意的是,数据包可能面向本地计算机,但目标地址可以通过做 NAT 在 PREROUTING 链中更改。由于此发生在第一个路由决策之前,因此在此更改后将查看数据包。因此,在路由决策完成之前,可能会更改路由。请注意,所有数据包都将在此映像中通过一条或另一条路径。如果您将数据包转回来自的同一网络,它仍将通过链的其余部分传输,直到它回到网络上。
Table 6-1. Destination local host (our own machine)
Step
Table
Chain
Comment
1
 
 
On the wire (e.g., Internet)
2
 
 
Comes in on the interface (e.g., eth0)
3
raw
PREROUTING
This chain is used to handle packets before the connection tracking takes place. It can be used to set a specific connection not to be handled by the connection tracking code for example.
4
 
 
This is when the connection tracking code takes place as discussed in the The state machine chapter.
5
mangle
PREROUTING
This chain is normally used for mangling packets, i.e., changing TOS and so on.
6
nat
PREROUTING
This chain is used for DNAT mainly. Avoid filtering in this chain since it will be bypassed in certain cases.
7
 
 
Routing decision, i.e., is the packet destined for our local host or to be forwarded and where.
8
mangle
INPUT
At this point, the mangle INPUT chain is hit. We use this chain to mangle packets, after they have been routed, but before they are actually sent to the process on the machine.(已经路由了,但还没发送到主机,可以这个时候mangle)
9
filter
INPUT
This is where we do filtering for all incoming traffic destined for our local host. Note that all incoming packets destined for this host pass through this chain, no matter what interface or in which direction they came from.
10
 
 
Local process or application (i.e., server or client program).
Note that this time the packet was passed through the INPUT chain instead of the FORWARD chain. Quite logical. Most probably the only thing that's really logical about the traversing of tables and chains in your eyes in the beginning, but if you continue to think about it, you'll find it will get clearer in time.
 
able 6-2. Source local host (our own machine)
Step
Table
Chain
Comment
1
 
 
Local process/application (i.e., server/client program)
2
 
 
Routing decision. What source address to use, what outgoing interface to use, and other necessary information that needs to be gathered.
3
raw
OUTPUT
This is where you do work before the connection tracking has taken place for locally generated packets. You can mark connections so that they will not be tracked for example.
4
 
 
This is where the connection tracking takes place for locally generated packets, for example state changes et cetera. This is discussed in more detail in the The state machine chapter.
5
mangle
OUTPUT
This is where we mangle packets, it is suggested that you do not filter in this chain since it can have side effects.
6
nat
OUTPUT
This chain can be used to NAT outgoing packets from the firewall itself. (防火墙自身nat)
7
 
 
Routing decision, since the previous mangle and nat changes may have changed how the packet should be routed.
8
filter
OUTPUT
This is where we filter packets going out from the local host.
9
mangle
POSTROUTING
The POSTROUTING chain in the mangle table is mainly used when we want to do mangling on packets before they leave our host, but after the actual routing decisions. This chain will be hit by both packets just traversing the firewall, as well as packets created by the firewall itself.(?没太懂)
10
nat
POSTROUTING
This is where we do SNAT as described earlier. It is suggested that you don't do filtering here since it can have side effects, and certain packets might slip through even though you set a default policy of DROP.
11
 
 
Goes out on some interface (e.g., eth0)
12
 
 
On the wire (e.g., Internet)
In this example, we're assuming that the packet is destined for another host on another network. The packet goes through the different steps in the following fashion:
Table 6-3. Forwarded packets
Step
Table
Chain
Comment
1
 
 
On the wire (i.e., Internet)
2
 
 
Comes in on the interface (i.e., eth0)
3
raw
PREROUTING
Here you can set a connection to not be handled by the connection tracking system.
4
 
 
This is where the non-locally generated connection tracking takes place, and is also discussed more in detail in the The state machine chapter.
5
mangle
PREROUTING
This chain is normally used for mangling packets, i.e., changing TOS and so on.
6
nat
PREROUTING
This chain is used for DNAT mainly. SNAT is done further on. Avoid filtering in this chain since it will be bypassed in certain cases.
7
 
 
Routing decision, i.e., is the packet destined for our local host or to be forwarded and where.
8
mangle
FORWARD
The packet is then sent on to the FORWARD chain of the mangle table. This can be used for very specific needs, where we want to mangle the packets after the initial routing decision, but before the last routing decision made just before the packet is sent out.
9
filter
FORWARD
The packet gets routed onto the FORWARD chain. Only forwarded packets go through here, and here we do all the filtering. Note that all traffic that's forwarded goes through here (not only in one direction), so you need to think about it when writing your rule-set. (所有转发包都经过这里)
10
mangle
POSTROUTING
This chain is used for specific types of packet mangling that we wish to take place after all kinds of routing decisions have been done, but still on this machine.
11
nat
POSTROUTING
This chain should first and foremost be used for SNAT. Avoid doing filtering here, since certain packets might pass this chain without ever hitting it. This is also where Masquerading is done.
12
 
 
Goes out on the outgoing interface (i.e., eth1).
13
 
 
Out on the wire again (i.e., LAN).
As you can see, there are quite a lot of steps to pass through. The packet can be stopped at any of the iptables chains, or anywhere else if it is malformed; however, we are mainly interested in the iptables aspect of this lot. Do note that there are no specific chains or tables for different interfaces or anything like that. FORWARD is always passed by all packets that are forwarded over this firewall/router.
 
Do not use the INPUT chain to filter on in the previous scenario! INPUT is meant solely for packets to our local host that do not get routed to any other destination.
 
 
 
 
Mangle table
The following targets are only valid in the mangle table. They can not be used outside the mangle table.
  • TOS
  • TTL
  • MARK
  • SECMARK
  • CONNSECMARK
 
Nat table
This table should only be used for NAT (Network Address Translation) on different packets. In other words, it should only be used to translate the packet's source field or destination field. Note that, as we have said before, only the first packet in a stream will hit this table. After this, the rest of the packets will automatically have the same action taken on them as the first packet. The actual targets that do these kind of things are:
  • DNAT
  • SNAT
  • MASQUERADE
  • REDIRECT
 
 
Filter table
The filter table is mainly used for filtering packets. We can match packets and filter them in whatever way we want. This is the place that we actually take action against packets and look at what they contain and DROP or /ACCEPT them, depending on their content. Of course we may also do prior filtering; however, this particular table is the place for which filtering was designed. Almost all targets are usable in this table. We will be more prolific about the filter table here; however you now know that this table is the right place to do your main filtering.
 
Raw table
The raw table is mainly only used for one thing, and that is to set a mark on packets that they should not be handled by the connection tracking system. This is done by using the NOTRACK target on the packet
User specified chains
 
 
 
补充
--
Mangle是一个数据包分析,但是很多RouterOS都喜欢称其为标记,但实际上标记只是mangle的一部分功能而已。
Mangle的翻译就是压碎,撕烂的意思,在路由器里面就是拆开包来研究,然后重新组合。我们就是通过mangle规则来分析数据包里面含有的关键信息,然后进行重新归类,标记,或者修改其中部分的参数。在ROS里面Mangle主要分为以下三类,以及对应的动作如下:
1.分析关注,对匹配规则的数据包进行分析关注,不对包进行其他操作
2.分析标记,对匹配规则的数据包进行分析标记,加上标记。
3.分析调整,对匹配的数据包进行拆包修改,修改数据并且重新封装。
iptables_表和链(Traversing of tables and chains)
Mangle是ROS里面动作(Action)最多的一个表,也是五链最全的,贯穿整个数据流程,见下图橙色部分:
iptables_表和链(Traversing of tables and chains)
Mangle规则的配置,就需要理解OSI七层模型和常用的数据协议包的组成原理。这样我们才能在配置Mangle规则的时候能最大化的保证数据传输效率。下一章我们以TCP/UDP协议来深入探讨一下网络传输中的一些常见问题。
 
参考: