1. Table:raw, mangle, nat, filter
2. Chain:PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING
3. Netfilter in composed withtables, chains and rules.
4. Chains are in tables, and rulesare added in the chains.
5. The follow is the packet flowof netfilter:
Match
Iptables 常用的match
1. -p, --protocol [!] protocol
2. -s, --source [!] address[/mask]
3. -d, --destination [!]address[/mask]
4. -i, --in-interface [!] name
5. -o, --out-interface [!] name
6. MATCH EXTENSIONS
a) Tcp
b) Udp
c) State
d) Mark
e) Connmark
f) Conntrack
g) Connlimit
h) Connbytes
i) Tos
j) Dscp
k) Tcpmss
l) Ttl
m) Limit
n) Mac
o) Icmp
p) Length
q) Connrate
r) Dstlimit
s) Iprange
t) Mport
u) Multiport
v) U32
Target
Iptables 常用的target
1. ACCEPT
2. DROP
3. REJECT: This is used to send backan error packet in response to the matched packet: otherwise it is equivalentto DROP.
4. TTL: This is used to modify theIPv4 TTL header field.
5. TCPMSS: This target allows userto alter the MSS value of TCP SYN packets, to control the maximum size for thatconnection (usually limiting it to your outgoing interface's MTU minus 40). Ofcourse, it can only be used in conjunction with -p tcp. It is only valid in themangle table.
6. LOG
7. TRACE: It just turns on packettracing for all packets that match this rule.
8. MARK
9. CONNMARK
10. DSCP
11. TOS
12. SNAT
13. DNAT
14. NFQUEUE: it allows you to put apacket into any specific queue, identified by its 16-bit queue number.
15. REDIRECT