Netfilter/Iptables

1.      Table:raw, mangle, nat, filter

2.      Chain:PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING

 

3.      Netfilter in composed withtables, chains and rules.

4.      Chains are in tables, and rulesare added in the chains.

5.      The follow is the packet flowof netfilter:

Match

Iptables 常用的match

1.      -p, --protocol [!] protocol

2.      -s, --source [!] address[/mask]

3.      -d, --destination [!]address[/mask]

4.      -i, --in-interface [!] name

5.      -o, --out-interface [!] name

6.      MATCH EXTENSIONS

a)        Tcp

b)       Udp

c)        State

d)       Mark

e)        Connmark

f)         Conntrack

g)        Connlimit

h)       Connbytes

i)          Tos

j)         Dscp

k)        Tcpmss

l)          Ttl

m)      Limit

n)       Mac

o)       Icmp

p)       Length

q)       Connrate

r)         Dstlimit

s)        Iprange

t)         Mport

u)       Multiport

v)        U32

 

Target

Iptables 常用的target

1.      ACCEPT

2.      DROP

3.      REJECT: This is used to send backan error packet in response to the matched packet: otherwise it is equivalentto DROP.

4.      TTL: This is used to modify theIPv4 TTL header field.

5.      TCPMSS: This target allows userto alter the MSS value of TCP SYN packets, to control the maximum size for thatconnection (usually limiting it to your outgoing interface's MTU minus 40). Ofcourse, it can only be used in conjunction with -p tcp. It is only valid in themangle table.

 

6.      LOG

7.      TRACE: It just turns on packettracing for all packets that match this rule.

 

8.      MARK

9.      CONNMARK

10.  DSCP

11.  TOS

12.  SNAT

13.  DNAT

14.  NFQUEUE: it allows you to put apacket into any specific queue, identified by its 16-bit queue number.

15.  REDIRECT