Linux Iptables rule execution order details

Preliminaries (go): iptable has three queues (table) rules, manglequeue, filterqueue, natqueue.

1. ThefirstisthemangletablewhichisresponsibleforthealterationofqualityofservicebitsintheTCPheader. 2. Thesecondtableisthefilterqueuewhichisresponsibleforpacketfiltering. *Forwardchain:Filterspacketstoserversprotectedbythefirewall. *Inputchain:Filterspacketsdestinedforthefirewall. *Outputchain:Filterspacketsoriginatingfromthefirewall. 3. Thethirdtableisthenatqueuewhichisresponsiblefornetworkaddresstranslation.Ithastwobuilt-inchains;theseare:　　*Pre-routingchain:NATspacketswhenthedestinationaddressofthepacketneedstobechanged. * Post-routingchain: NATspacketswhenthesourceaddressofthepacketneedstobechanged personal conclusion: iptables rules, it is executed from rules table from top to bottom order execution, if you did not encounter the matching rules, one rule to execute, if a matching rule, then the implementation of this rule, after the implementation of the action under this rule (accept, reject, log, etc.), determines the next step, the subsequent implementation of the General there are three kinds of situation. 1. One is to continue the execution of the current rules the queue within the next rule. For example, perform a Filter queues in the LOG after the implementation of the Filter in the queue for the next rule. 2. One is to abort the current rules for the implementation of the queue, go to the next rule in the queue. For example, from the accept Filter queues after a break in other rules, skip to the nat rules to 3 queues. One is to suspend all rules of the queue. Iptables is adopting rule stack filter on the way, when a packet enters the card, it will first check the Prerouting and then check the destination IP determine the need to transfer out, then go to filter INPUT or Forward, if packets required to handle check Postrouting, if packets from the machine, check the OUTPUT and Postrouting. Process if you comply with a rule will be processed, processing actions in addition to ACCEPT, REJECT, DROP, REDIRECT and MASQUERADE, the extra LOG, ULOG, DNAT, SNAT, MIRROR, QUEUE, RETURN, TOS, TTL, MARK, and so on, some of which deal with actions do not interrupt filtering program, certain processing action will break the same rules of filter chain, and in accordance with the foregoing process continues to the next rule refining filter (Note: this is different with ipchains), until the stack of rule check has been completed. Through this mechanism the benefits is that we can carry out complex, multiple-packet filter, simply put, iptables can be cross-type filtering (tables) and non-crucible-shaped filtering (chains). ACCEPT the packet, to finish this release handle actions will no longer than for other rules, skip to the next rule chain (nat: postrouting). REJECT the blocking of that letter package and transmit packets can notify to the other, the transmission of packets has several choices: ICMPport-unreachable, ICMPecho-reply or tcp-reset (this packet will ask each other off online), after you finish this processing actions, will no longer than for other rules, directly interrupt filtering programs. Example: iptables-AFORWARD-pTCP — dport22-jREJECT — reject-withtcp-reset DROP dropped packets are not being dealt with, after this processing actions, will no longer than for other rules, directly interrupt filtering programs. REDIRECT packets will be redirected to another port (PNAT), after you finish this processing actions will continue to be higher than for other rules. This function can be used to implement transparent style porxy or to protect the web server. For example: iptables-tnat-APREROUTING-ptcp — dport80-jREDIRECT — to-ports8080 MASQUERADE rewrite the packet source IP to the firewall NICIP, you can specify the port range that corresponds to this processing actions, skip to the next rule chain (mangle: postrouting). This function and SNAT is slightly different, when IP masquerading, you do not need to specify to the pseudoPretend to which IP, IP will be read directly from the network card, when you use the dial access line, IP, usually by ISP's DHCP server assigned, this is particularly useful when MASQUERADE. Example: iptables-tnat-APOSTROUTING-pTCP-jMASQUERADE — to-ports1024-31000 LOG will record a packet information, detailed in the/var/log position please check/etc/syslog.conf configuration file, after you finish this processing actions will continue to be higher than for other rules. For example: iptables-AINPUT-ptcp-jLOG — log-prefix "INPUTpackets" SNAT rewrite the packet source IP to a particular IP or IP range, you can specify the port range that corresponds to this processing actions will jump to the next rule chain (mangle: postrouting). Example: iptables-tnat-APOSTROUTING-ptcp-oeth0-jSNAT — to-source194.236.50.155-194.236.50.160: 1024-32000 DNAT overwrite destination IP packet to a specific IP or IP range, you can specify the port range that corresponds to this processing actions will jump to the next rule chain (filter: filter: input or forward). Example: iptables-tnat-APREROUTING-ptcp-d15.45.23.67 — dport80-jDNAT — to-destination192.168.1.1-192.168.1.10: 80-100 MIRROR mirror packets, that is, source IP destination IP are switched, the packets sent back to the end of this process, carried out the action, will interrupt filtering programs. QUEUE interrupt filtering program, will be placed in the queue a packet to other programs. Through the development of the handler, you can make other applications, for example: calculation of fees for online ... And so on. RETURN to end the present rules of filtering in the smelting process, return to the main rules condensed continue filtering, if the custom rule chain as a subroutine, then the action is equivalent to an early end subroutine and return to the main program. MARK the packets marked with a symbol, in order to provide conditions for subsequent filtering criterion, to finish this processing actions will continue on other rules. Example: iptables-tmangle-APREROUTING-ptcp — dport22-jMARK — set-mark2