VPS参考测评推荐
专注分享VPS主机优惠信息
衡天云优惠活动
华纳云优惠活动

IPtables概念和功能

主机参考:VPS测评参考推荐/专注分享VPS服务器优惠信息!若您是商家可以在本站进行投稿,查看详情!此外我们还提供软文收录、PayPal代付、广告赞助等服务,查看详情!
我们发布的部分优惠活动文章可能存在时效性,购买时建议在本站搜索商家名称可查看相关文章充分了解该商家!若非中文页面可使用Edge浏览器同步翻译!PayPal代付/收录合作

IPTABLES四张表五条链

iptables具有Filter, NAT, Mangle, Raw四种内建表。

IPTABLES数据包流程

数据包先经过PREOUTING,由该链确定数据包走向: 目的地址是本地,则发送到INPUT,让INPUT决定是否接收下来送到用户空间,流程为①---gt;②; 若满足PREROUTING的nat表上的转发规则,则发送给FORWARD,然后再经过POSTROUTING发送出去,流程为: ①---gt;③---gt;④---gt;⑥; 主机发送数据包时,流程则是⑤---gt;⑥; 其中PREROUTING和POSTROUTING指的是数据包的流向,如上图所示POSTROUTING指的是发往公网的数据包,而PREROUTING指的是来自公网的数据包。

Linux下IPtables下Filter表Filter表示iptables的默认表,因此如果你没有自定义表,那么就默认使用filter表,它具有以下三种内建链: INPUT链 – 处理来自外部的数据; OUTPUT链 – 处理向外发送的数据; FORWARD链 – 将数据转发到本机的其他网卡设备上。

Linux下IPtables下NAT表NAT (网络地址转换) 技术在平时是很多见的,如家庭中在使用路由器共享上网时,一般用的就是 NAT 技术,它可以实现众多内网 IP 共享一个公网 IP 上网。NAT 的原理,简单的说就是当内网主机访问外网时,当内网主机的数据包要通过路由器时,路由器将数据包中的源内网 IP 地址改为路由器上的公网 IP 地址,同时记录下该数据包的消息;外网服务器响应这次由内而外发出的请求或数据交换时,当外网服务器发出的数据包经过路由器时,原本是路由器上的公网 IP 地址被路由器改为内网 IP 。SNAT 和 DNAT 是 iptables 中使用 NAT 规则相关的的两个重要概念。如上图所示,如果内网主机访问外网而经过路由时,源 IP 会发生改变,这种变更行为就是 SNAT;反之,当外网的数据经过路由发往内网主机时,数据包中的目的 IP (路由器上的公网 IP) 将修改为内网 IP,这种变更行为就是 DNAT 。NAT表有三种内建链: PREROUTING链 – 处理刚到达本机并在路由转发前的数据包。它会转换数据包中的目标IP地址(destination ip address),通常用于DNAT(destination NAT)。 POSTROUTING链 – 处理即将离开本机的数据包。它会转换数据包中的源IP地址(source ip address),通常用于SNAT(source NAT)。 OUTPUT链 – 处理本机产生的数据包。


Iptables four tables five chains

Iptables has four built-in tables: filter, NAT, mangle and raw.

Iptables package process

The data packet is first routed through preouting, and then it is determined by the chain: if the destination address is local, it will be sent to input, and the input will decide whether to receive it and send it to the user space. The process is ① -- gt; ②; if the forwarding rules on the NAT table of preouting are met, it will be sent to forward, and then it will be sent out through posting, and the process is ① -- gt; ③ -- gt; ④ --- gt; ⑥; - when the host sends data packets, the process is ⑤ -- gt; ⑥; - among which pre routing and post routing refer to the flow direction of data packets, as shown in the figure above, post routing refers to the data packets sent to the public network, while pre routing refers to the data packets from the public network.

The filter table in iptables under Linux represents the default table of iptables. Therefore, if you do not have a custom table, the filter table is used by default. It has three types of built-in chains: input chain - processing data from external sources; output chain - processing data sent out; forward chain - forwarding data to other network card devices of the machine.

NAT (network address translation) technology of NAT table under iptables under Linux is often seen. For exle, when a router is used to share the Internet in the home, NAT technology is generally used. It can realize that many intranet IP share a public IP to access the Internet. The principle of NAT is simply that when the intranet host accesses the external network, when the packet of the intranet host needs to pass through the router, the router will change the source IP address of the packet to the public IP address of the router Address, and record the message of the packet; when the external server responds to the request or data exchange sent from the inside out, when the packet sent by the external server passes through the router, the original public IP address on the router is changed to the internal IP address by the router. SNAT and DNAT are two important concepts related to the use of NAT rules in iptables. As shown in the figure above, if the internal network host accesses the external network and passes through the route, the source IP will change, and this change behavior is SNAT; otherwise, when the data of the external network is routed to the internal network host, the destination IP in the data packet (the public IP on the router) will be changed to the internal IP, and this change behavior is DNAT. There are three types of built-in chains in NAT tables: i.e. prerouting chain - which processes packets just arriving at the local machine and before routing and forwarding. It translates the destination IP address in the packet, which is usually used for DNAT (destination NAT). • posting chain - processes packets that are about to leave the machine. It translates the source IP address in the packet, which is usually used for SNAT. • output chain - processes packets generated locally.

--------------------------------------------------------------
主机参考,收集国内外VPSVPS测评主机测评云服务器虚拟主机独立服务器,国内外服务器高性价比建站主机相关优惠信息@zhujicankao.com
详细介绍和测评国外VPS主机,云服务器,国外服务器,国外主机的相关优惠信息,商家背景,网络带宽等等,也是目前国内最好的主机云服务器VPS参考测评资讯优惠信息分享平台

这几篇文章你可能也喜欢:

本文由主机参考刊发,转载请注明:IPtables概念和功能 https://zhujicankao.com/12317.html

【腾讯云】领8888元采购礼包,抢爆款云服务器 每月 9元起,个人开发者加享折上折!
打赏
转载请注明原文链接:主机参考 » IPtables概念和功能
主机参考仅做资料收集,不对商家任何信息及交易做信用担保,购买前请注意风险,有交易纠纷请自行解决!请查阅:特别声明

评论 抢沙发

评论前必须登录!