computerlinux

iptables

IPTABLES

参考

Tables

表按类型组织规则,规则进一步组成链(hooks 触发 chains)

Built-in tables
  • nat 网络地址转换 chains-> OUTPUT,POSTROUTING,PREROUTING
  • filter 过滤数据包,链的默认表 chains-> FORWARD,INPUT,OUTPUT
  • mangle 修改数据包 chains-> FORWARD,INPUT,OUTPUT,POSTROUTING,PREROUTING

Chains

flow
链与网络层的hooks关联,每个流经网络层的包都将触发hooks.

  • PREROUTING: Triggered by the NF_IP_PRE_ROUTING hook.
  • INPUT: Triggered by the NF_IP_LOCAL_IN hook.
  • FORWARD: Triggered by the NF_IP_FORWARD hook.
  • OUTPUT: Triggered by the NF_IP_LOCAL_OUT hook.
  • POSTROUTING: Triggered by the NF_IP_POST_ROUTING hook.

每个Hook上的chains有执行的优先顺序,参考下图
tables_chains

Examples (Matches ,Targets)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.80
# wireguard example
iptables -I INPUT -p udp --dport 51824 -j ACCEPT
iptables -N wg0-input
iptables -A INPUT -i wg0 -j wg0-input
iptables -A wg0-input -m state --state ESTABLISHED,RELATED -j ACCEPT
# wireguard example 2
iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x200
iptables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x200 -j MASQUERADE

# drop them if the rate exceeds 10 per second
iptables -A INPUT -p icmp --icmp-type ping -m limit !--limit 10/s -j DROP
iptables -A PREROUTING -i eth1 -m mac --mac-source ! 0d:bc:97:02:18:21 -j DROP