Detailed Explanation of Linux netfilter and iptables Knowledge Points

Netfilter

Netfilter is a packet processing module in Linux kernel, which can provide packet filtering, forwarding and address translation functions of NAT. Iptables is a tool that can be used to add, modify and delete packet processing rules in Netfilter.

Netfilter is located between the network card and the kernel protocol stack of a wall, is a free software firewall.

There are three main concepts in Netfilter: rule, table, chain, and rank increasing in turn.

Rules are processing instructions for specific messages, including matching fields and action.
A chain is a collection of 1 set of rules.
A table is a set of rules with the same function in a chain.

Rules

Chain

Chain can be regarded as multi-level before network card and kernel protocol stack. For impassable messages, impassable levels are processed, that is, impassable chains are matched.

Message sent to kernel protocol stack from network card: PREROUTING- > INPUT
Messages from network card that cannot be uploaded to kernel protocol stack: PREROUTING- > FORWARD - > POSTROUTING
Message sent from kernel protocol stack to network card: OUTPUT- > POSTROUTING

Table

For administrative convenience, the rules of the same function in the chain are organized in one table, and iptables has defined four tables for us.

Priority order of tables (from high to low): raw- > mangle - > nat - > filter

Watch-chain relationship

You can have more than one table in a chain, but you don't have all the tables.

The processing of data packets is based on the chain, but in the actual use process, the rules are defined through the table as an operator.

iptables

Introduction to iptables

The packet filtering function of linux, namely linux firewall, is composed of netfilter and iptables.

The netfilter component, also known as kernel space, is part of the kernel and consists of packet filtering tables that contain the set of rules the kernel uses to control packet filtering.

The iptables component is a tool, also known as user space, that makes it easy to insert, modify, and remove rules from packet filtering tables.

iptables Fundamentals

We know that iptables works according to rules, which are actually predefined conditions by network administrators. Rule 1 is defined as "if the packet header meets such conditions, handle the packet like this". Rules are stored in packet filtering tables in kernel space, specifying source address, destination address, transport protocol (such as TCP, UDP, ICMP), service type (such as HTTP, FTP, and SMTP), and so on. When packets match the rules, iptables processes them according to the methods defined by the rules, such as drop (accept), reject (reject), and drop (drop). The main task of configuring firewall is to add, modify and delete these rules.

When a client accesses the server's web service, The client sends a message to the network card, The tcp/ip protocol stack belongs to one part of the kernel, Therefore, the client information is transmitted to the web service in user space through the TCP protocol of the kernel. At this time, the target end point of the client message is on the socket (IP: Port) that the web service listens on. When the web service needs to respond to client requests, The destination of the response message sent by web service is the client, At this time, The IP and port that the web service listens on become the origin instead, As we said, netfilter is the real firewall, It is part 1 of the kernel, Therefore, if we want the firewall to achieve the purpose of "fire prevention", It is necessary to set up checkpoints in the kernel, and all incoming and outgoing messages must pass through these checkpoints. After inspection, those that meet the release conditions can be released, while those that meet the blocking conditions need to be blocked. Therefore, input checkpoints and output checkpoints appear, and these checkpoints are not called "checkpoints" but "chains" in iptables.