iptables

来源：互联网发布：软件测评师考试分数编辑：程序博客网时间：2024/04/26 07:07

1、iptable流程图

                                      |-------------------->mangle->filter->------------------|

                                                                     -----------------

                                       |                                     ||                                  |

                                                                              forward

                                       |                                                                            |

      ->mangle->nat->                                                                                  mangle->nat->

------------------------- routing                                                                         ------------------

               ||                                                                                                          ||

            prerouting             |                                                                            | postrouting



                                       |                                                                            |



                                       |->mangle->filter->localprocessor->mangle->nat->filter ->|

                                          -----------------                   -------------------

                                                   ||                                           ||

                                                   input                                     output

2、层次结构：
tables
chains (build-in / user-defined)
    rules

规则指定了包和目标(target)。
目标就是对匹配的包的动作。
目标可以是同一表内的自定义链(user-defined chain)，
或者是ACCEPT, DROP, QUEUE, 或RETURN。

未匹配的包进行链中下一规则的检查；
而匹配的包的目标决定了下一条要检查的规则。

RETURN表示返回到前一链的下一条规则，即从该链的检查中返回。
如果一条内建链检查完毕，链的策略目标(policy)决定包的去向。

有三个表：filter, nat, mangle.

filter: 缺省表。内建链有
    INPUT (for packets coming into the box itself),
    FORWARD (for packets being routed through the box), and
    OUTPUT (for locally-generated packets).
nat：新建连接时检查。三个内建链
    PREROUTING (for altering packets as soon as they come in),
    OUTPUT (for altering locally-generated packets before routing),
    POSTROUTING (for altering packets as they are about to go out).
mangle：用来更改特殊的包。内建链
    PREROUTING (for altering incoming packets before routing)
    OUTPUT (for altering locally-generated packets before routing),
    INPUT (for packets coming into the box itself),
    FORWARD (for altering packets being routed through the box),
    POSTROUTING (for altering packets as they are about to go out).

表的名字表示对包的处理动作，链的名字表示包所处的位置。
如到本机的包经过：PREROUTING, INPUT
本机向外发包：OUTPUT, POSTROUTE
转发的包：PREROUTING, FORWARD, POSTROUTE
3、iptables -L      粗略列出 filter 表所有链及所有规则
    iptables -t nat -vnL    用详细方式列出 nat 表所有链的所有规则，只显示 IP 地址和端口号
4、SNAT和MASQUERADE

SNAT：可以NAT成一个地址，也可以NAT成多个地址。但必须明确的指定要SNAT的ip。

ex: #iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to 222.123.54.22

MASQURADE：可从服务器的网卡上，自动获取当前ip地址来做NAT。适合于ADSL拨号上网。

ex： #iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE