Tables consist of chains, which are lists of rules which are followed in order. The default table, Chains do have a default policy -P, which is generally set to User-defined chains can be added to make rulesets more efficient or more easily modifiable. However user-defined chains can not have default policies. Packet filtering is based on rules, which are specified by multiple matches (conditions the packet must satisfy so that the rule can be applied), and one target (action taken when the packet matches all conditions). The typical things a rule might match on are what interface the packet came in on (e.g eth0 or eth1), what type of packet it is (ICMP, TCP, or UDP), or the destination port of the packet. There are many modules which can be used to extend iptables such as connlimit, conntrack, limit and recent. These modules add extra functionality to allow complex filtering rules.route displays, adds and deletes entries from the kernel's TCP/IP routing table (aka "Forwarding Information Base”).iptables displays, adds, and deletes entries from Netfilter, the Linux kernel's packet filtering and manipulating subsystem.INPUT chains) or elsewhere (in which case the packet traverses through the FORWARD chains). Subsequent routing decisions involve deciding what interface to assign to an outgoing packet. XXXXXXXXXXXXXXXXXX
XXX Network XXX
XXXXXXXXXXXXXXXXXX
+
|
v
+-------------+ +------------------+
|table: filter| <---+ | table: nat |
|chain: INPUT | | | chain: PREROUTING|
+-----+-------+ | +--------+---------+
| | |
v | v
[local process] | **************** +--------------+
| +---------+ Routing decision +------> |table: filter |
v **************** |chain: FORWARD|
**************** +------+-------+
Routing decision |
**************** |
| |
v **************** |
+-------------+ +------> Routing decision <---------------+
|table: nat | | ****************
|chain: OUTPUT| | +
+-----+-------+ | |
| | v
v | +-------------------+
+--------------+ | | table: nat |
|table: filter | +----+ | chain: POSTROUTING|
|chain: OUTPUT | +--------+----------+
+--------------+ |
v
XXXXXXXXXXXXXXXXXX
XXX Network XXX
XXXXXXXXXXXXXXXXXX
Tables - Packets flow in/out tables in the order for PREROUTING chain. RAW > MANGLE > NAT > FILTER see. In most common use cases you will only use two of these: filter and nat.
raw is used only for configuring packets so that they are exempt from connection tracking.filter is the default table, and is where all the actions typically associated with a firewall take place.nat is used for network address translation (e.g. port forwarding).mangle is used for specialized packet alterations (see Mangled packet).security is used for Mandatory Access Control networking rules (e.g. SELinux -- see this article for more details).filter, contains three built-in chains: INPUT, OUTPUT and FORWARD. The nat table includes PREROUTING, POSTROUTING, and OUTPUT chains.ACCEPT, but can be reset to DROP, if you want to be sure that nothing slips through your ruleset. The default policy always applies at the end of a chain only. Rules
-j or --jump option. Targets can be either user-defined chains (i.e. if these conditions are matched, jump to the following user-defined chain and continue processing there), one of the special built-in targets, or a target extension.ACCEPT, DROP, QUEUE and RETURN, target extensions are, for example, REJECT and LOG. If the target is a built-in target, the fate of the packet is decided immediately and processing of the packet in current table is stopped. Target extensions can be either terminating (as built-in targets) or non-terminating (as user-defined chains), see man 8 iptables-extensions for details.Traversing Chains
DROP target, the packet is dropped and no further processing is done. If a packet is ACCEPTed within a chain, it will be ACCEPTed in all superset chains also and it will not traverse any of the superset chains any further. However, be aware that the packet will continue to traverse all other chains in other tables in the normal fashion. A packet which is RETURNed within a chain will match default policy, within a sub chain it will move to originating chain. -m Modules
Route vs IP Tables
The lowercase word on top is the table and the upper case word below is the chain. Every IP packet passes through this flow chart from top to bottom. The first routing decision at nat ( PREROUTING ) involves deciding if the final destination of the packet is the local machine (in which case the packet traverses through the
Chains
Targets are specified using the
Built-in targets are
If the target is a user-defined chain and the packet passes successfully through this second chain, it will move to the next rule in the original chain. If every rule in a chain that you jumped fails to provide a complete match, the packet is dropped back into the calling chain as illustrated here. If at any time a complete match is achieved for a rule with a
