2小时玩转iptables

原文章转自： http://blog.zh123.top/?p=278
“两小时玩转iptables”是写的特别简单明了的一份文档，讲解iptables的使用。对于基本的内网穿透服务器或web服务器配置防火墙足够了。感谢作者。

链接如下：

2 小时玩转 iptables 企业版 v1.5.4

下面是对防火墙配置相关知识点的补充：

一 网络五种连接状态

NEW
NEW refers to incoming packets that are the first packet for an incoming connection that was not initiated by the host system. An example is the SYN packet in a TCP connection. However the packet may as well not be a SYN packet, and still be considered NEW.

ESTABLISHED
An ESTABLISHED connection is a connection the firewall knows about and it’s tracking. The ESTABLISHED state has seen traffic in both directions and will then continuously match those packets. The only requirement to get into an ESTABLISHED state is that one host sends a packet, and that it later on gets a reply from the other host. ICMP reply messages can also be considered as ESTABLISHED, if we created a packet that in turn generated the reply ICMP message.

RELATED
A connection is considered RELATED when it is related to another already ESTABLISHED connection. For a connection to be considered as RELATED, we must first have a connection that is considered ESTABLISHED. The ESTABLISHED connection will then spawn a connection outside of the main connection. The newly spawned connection will then be considered RELATED, if the conntrack module is able to understand that it is RELATED. An example is the FTP-data connections that are considered RELATED to the FTP control port.

Most TCP protocols and some UDP protocols that rely on this mechanism are quite complex and send connection information within the payload of the TCP or UDP data segments, and hence require special helper modules to be correctly understood.

INVALID
The INVALID state means that the packet can’t be identified or that it does not have any state. This may be due to several reasons, such as the system running out of memory or ICMP error messages that do not respond to any known connections. Generally, it is a good idea to DROP everything in this state.

UNTRACKED
if a packet is marked within the raw table with the NOTRACK target, then that packet will show up as UNTRACKED in the state machine.

二 网络的两种网络层协议

TCP
For TCP, once iptables has seen the SYN packet, it considers the connection as NEW. Once it sees the return packet (SYN/ACK) it considers the session as ESTABLISHED.

UDP
UDP connections are stateless. Receiving two UDP datagrams in a specific order does not say anything about the order in which they were sent. However, iptables can track “udp connections”.

三 防火墙的网络走向图

图1 简易网络走向图

图2 完整网络走向图

图2 涉及到了防火墙中所有的规则链表，PREROUTING，INPUT，OUTPUT，FILTER，POSTROUTING。关系通过图2可以一目了然。图片摘自维基百科。