主机参考:VPS测评参考推荐/专注分享VPS服务器优惠信息!若您是商家可以在本站进行投稿,查看详情!此外我们还提供软文收录、PayPal代付、广告赞助等服务,查看详情! |
我们发布的部分优惠活动文章可能存在时效性,购买时建议在本站搜索商家名称可查看相关文章充分了解该商家!若非中文页面可使用Edge浏览器同步翻译!PayPal代付/收录合作 |
IPTABLES四张表五条链
iptables具有Filter, NAT, Mangle, Raw四种内建表。
IPTABLES数据包流程
数据包先经过PREOUTING,由该链确定数据包走向: 目的地址是本地,则发送到INPUT,让INPUT决定是否接收下来送到用户空间,流程为①---gt;②; 若满足PREROUTING的nat表上的转发规则,则发送给FORWARD,然后再经过POSTROUTING发送出去,流程为: ①---gt;③---gt;④---gt;⑥; 主机发送数据包时,流程则是⑤---gt;⑥; 其中PREROUTING和POSTROUTING指的是数据包的流向,如上图所示POSTROUTING指的是发往公网的数据包,而PREROUTING指的是来自公网的数据包。
Linux下IPtables下Filter表Filter表示iptables的默认表,因此如果你没有自定义表,那么就默认使用filter表,它具有以下三种内建链: INPUT链 – 处理来自外部的数据; OUTPUT链 – 处理向外发送的数据; FORWARD链 – 将数据转发到本机的其他网卡设备上。
Linux下IPtables下NAT表NAT (网络地址转换) 技术在平时是很多见的,如家庭中在使用路由器共享上网时,一般用的就是 NAT 技术,它可以实现众多内网 IP 共享一个公网 IP 上网。NAT 的原理,简单的说就是当内网主机访问外网时,当内网主机的数据包要通过路由器时,路由器将数据包中的源内网 IP 地址改为路由器上的公网 IP 地址,同时记录下该数据包的消息;外网服务器响应这次由内而外发出的请求或数据交换时,当外网服务器发出的数据包经过路由器时,原本是路由器上的公网 IP 地址被路由器改为内网 IP 。SNAT 和 DNAT 是 iptables 中使用 NAT 规则相关的的两个重要概念。如上图所示,如果内网主机访问外网而经过路由时,源 IP 会发生改变,这种变更行为就是 SNAT;反之,当外网的数据经过路由发往内网主机时,数据包中的目的 IP (路由器上的公网 IP) 将修改为内网 IP,这种变更行为就是 DNAT 。NAT表有三种内建链: PREROUTING链 – 处理刚到达本机并在路由转发前的数据包。它会转换数据包中的目标IP地址(destination ip address),通常用于DNAT(destination NAT)。 POSTROUTING链 – 处理即将离开本机的数据包。它会转换数据包中的源IP地址(source ip address),通常用于SNAT(source NAT)。 OUTPUT链 – 处理本机产生的数据包。
Iptables four tables five chains
Iptables has four built-in tables: filter, NAT, mangle and raw.
Iptables package process
The data packet is first routed through preouting, and then it is determined by the chain: if the destination address is local, it will be sent to input, and the input will decide whether to receive it and send it to the user space. The process is ① -- gt; ②; if the forwarding rules on the NAT table of preouting are met, it will be sent to forward, and then it will be sent out through posting, and the process is ① -- gt; ③ -- gt; ④ --- gt; ⑥; - when the host sends data packets, the process is ⑤ -- gt; ⑥; - among which pre routing and post routing refer to the flow direction of data packets, as shown in the figure above, post routing refers to the data packets sent to the public network, while pre routing refers to the data packets from the public network.
The filter table in iptables under Linux represents the default table of iptables. Therefore, if you do not have a custom table, the filter table is used by default. It has three types of built-in chains: input chain - processing data from external sources; output chain - processing data sent out; forward chain - forwarding data to other network card devices of the machine.
NAT (network address translation) technology of NAT table under iptables under Linux is often seen. For exle, when a router is used to share the Internet in the home, NAT technology is generally used. It can realize that many intranet IP share a public IP to access the Internet. The principle of NAT is simply that when the intranet host accesses the external network, when the packet of the intranet host needs to pass through the router, the router will change the source IP address of the packet to the public IP address of the router Address, and record the message of the packet; when the external server responds to the request or data exchange sent from the inside out, when the packet sent by the external server passes through the router, the original public IP address on the router is changed to the internal IP address by the router. SNAT and DNAT are two important concepts related to the use of NAT rules in iptables. As shown in the figure above, if the internal network host accesses the external network and passes through the route, the source IP will change, and this change behavior is SNAT; otherwise, when the data of the external network is routed to the internal network host, the destination IP in the data packet (the public IP on the router) will be changed to the internal IP, and this change behavior is DNAT. There are three types of built-in chains in NAT tables: i.e. prerouting chain - which processes packets just arriving at the local machine and before routing and forwarding. It translates the destination IP address in the packet, which is usually used for DNAT (destination NAT). • posting chain - processes packets that are about to leave the machine. It translates the source IP address in the packet, which is usually used for SNAT. • output chain - processes packets generated locally.
--------------------------------------------------------------
主机参考,收集国内外VPS,VPS测评,主机测评,云服务器,虚拟主机,独立服务器,国内外服务器,高性价比建站主机相关优惠信息@zhujicankao.com
详细介绍和测评国外VPS主机,云服务器,国外服务器,国外主机的相关优惠信息,商家背景,网络带宽等等,也是目前国内最好的主机云服务器VPS参考测评资讯优惠信息分享平台
这几篇文章你可能也喜欢:
- 莱卡云怎么样? 评测并分享徕卡云香港 CN2 GIA 2C2G5M
- LOCVPS,双12特惠,香港免备案VPS云服务器终身65折,香港葵湾机房,CN2+BGP/CN2网络,KVM虚拟架构,1核2G内存2Mbps带宽不限流量,29.25元/月
- 热网互联Hotiis,年底特惠活动,海外高质量免备案VPS云服务器5折,中国香港/美国/日本机房,1核1G内存15Mbps带宽,低至20元/月,默认赠送5G DDOS防御
- 腾讯云,双十一特价优惠活动,高性价比国内轻量云服务器年付低至48元起,2核4G内存8Mbps带宽轻量云年付70元,续费2.5折起,还有海量代金券免费领
- 腾讯云,双11活动最后一天,超便宜云服务器2核4G内存8Mbps带宽仅198元/3年,无新账号可按照本文附带教程1个身份证开8个新用户账号抢购,买到就是赚到,挖币都能回本
本文由主机参考刊发,转载请注明:IPtables概念和功能 https://zhujicankao.com/12317.html
评论前必须登录!
注册