iptables基础信息介绍

在linux系统下，网络安全，除了有SElinux，另外就是iptables防火墙了，这个是用的最多也是功能非常强大的一个工具，今天就对其简单的架构上技术进行概要描述。让自己后续能够逻辑清晰的处理云环境下的网络安全。至少作为一个支撑吧。

首先，要知道，计算机上网的过程，数据包从internet到我们的PC，最后被PC上的应用程序所处理，并且给予远端来自internet的用户程序一个响应，数据包在防火墙层面上是如何traverse的。

Destination local host (our own machine)

Step	Table	Chain	Comment
1			On the wire (e.g., Internet)
2			Comes in on the interface (e.g., eth0)
3	mangle	PREROUTING	This chain is normally used for mangling packets, i.e., changing TOS and so on.
4	nat	PREROUTING	This chain is used for DNAT mainly. Avoid filtering in this chain since it will be bypassed in certain cases.
5			Routing decision, i.e., is the packet destined for our local host or to be forwarded and where.
6	mangle	INPUT	At this point, the mangle INPUT chain is hit. We use this chain to mangle packets, after they have been routed, but before they are actually sent to the process on the machine.
7	filter	INPUT	This is where we do filtering for all incoming traffic destined for our local host. Note that all incoming packets destined for this host pass through this chain, no matter what interface or in which direction they came from.
8			Local process/application (i.e., server/client program)

这个表，描述了数据从Internet到Local host的流程。

Source local host (our own machine)

Step	Table	Chain	Comment
1			Local process/application (i.e., server/client program)
2			Routing decision. What source address to use, what outgoing interface to use, and other necessary information that needs to be gathered.
3	mangle	OUTPUT	This is where we mangle packets, it is suggested that you do not filter in this chain since it can have side effects.
4	nat	OUTPUT	This chain can be used to NAT outgoing packets from the firewall itself.
5	filter	OUTPUT	This is where we filter packets going out from the local host.
6	mangle	POSTROUTING	The POSTROUTING chain in the mangle table is mainly used when we want to do mangling on packets before they leave our host, but after the actual routing decisions. This chain will be hit by both packets just traversing the firewall, as well as packets created by the firewall itself.
7	nat	POSTROUTING	This is where we do SNAT as described earlier. It is suggested that you don't do filtering here since it can have side effects, and certain packets might slip through even though you set a default policy of DROP.
8			Goes out on some interface (e.g., eth0)
9			On the wire (e.g., Internet)

这个表描述了数据从Local host返回响应给Internet的客户这么一个数据流程。也许有经验的人会说，internet到达我们的PC网卡的数据包不一定就是给你这个机器的，说的没错，有可能需要通过你这个机器做转发，发给其他的机器。这个过程就是IP forwarding，当然，这个需要Linux系统打开这个服务。

下面说说如何检查并打开自己机器的IP forwarding服务。下面就拿我的机器(CentOS)来说，从命令返回值可以看到，这个feature是打开了的。

 [root@CloudGame mytool]# sysctl net.ipv4.ip_forward
 net.ipv4.ip_forward = 

若是没有开，可以通过下面的操作打开：

 [root@CloudGame mytool]# sysctl -w net.ipv4.ip_forward=
 net.ipv4.ip_forward = 

或者这么打开也可以：

打开/etc/sysctl.conf文件，修改里面的net.ipv4.ip_forward的值，改为1.

既然有转发，就有对应的转发的iptables的chain及相关细节.如下：

Forwarded packets

Step	Table	Chain	Comment
1			On the wire (i.e., Internet)
2			Comes in on the interface (i.e., eth0)
3	mangle	PREROUTING	This chain is normally used for mangling packets, i.e., changing TOS and so on.
4	nat	PREROUTING	This chain is used for DNAT mainly. SNAT is done further on. Avoid filtering in this chain since it will be bypassed in certain cases.
5			Routing decision, i.e., is the packet destined for our local host or to be forwarded and where.
6	mangle	FORWARD	The packet is then sent on to the FORWARD chain of the mangle table. This can be used for very specific needs, where we want to mangle the packets after the initial routing decision, but before the last routing decision made just before the packet is sent out.
7	filter	FORWARD	The packet gets routed onto the FORWARD chain. Only forwarded packets go through here, and here we do all the filtering. Note that all traffic that's forwarded goes through here (not only in one direction), so you need to think about it when writing your rule-set.
8	mangle	POSTROUTING	This chain is used for specific types of packet mangling that we wish to take place after all kinds of routing decisions has been done, but still on this machine.
9	nat	POSTROUTING	This chain should first and foremost be used for SNAT. Avoid doing filtering here, since certain packets might pass this chain without ever hitting it. This is also where Masquerading is done.
10			Goes out on the outgoing interface (i.e., eth1).
11			Out on the wire again (i.e., LAN).

简单总结一下上面的三个情景。这里可以看到，iptables有table和chain的概念。iptables有4种类型的table： raw，mangle，nat，filter。chain的类型有：PREROUTING，INPUT，OUTPUT, FORWARD, POSTROUTING. 这里，有个很重要的逻辑就是，table和chain之间的关系是怎么样的。他们是两个维度空间，共同作用在收到/发送/转发的数据上。用下面的图表做个形象的描述，反映这两个维度之间的关系：

下面，再看看另外一种表述：

最后，看看不同的协议，在iptables的工作过程中，都影响到那些子环节：

上面三个图，都有一个特点，就是可以看出各个table都有那些chain要经历。每一个table都有自己对应的target。下面列举一下主要的三个table对应的target，方便后续索引查找。

mangel 表：

• TOS

• TTL

• MARK

nat 表：

• DNAT

• SNAT

• MASQUERADE

filter表：

• DROP

• ACCEPT

• REJECT
• RETURN
• LOG
• QUEUE

由于iptables是在不同的table上依据对应chain的rule进行相对应的数据包的处理，那么接下来的篇幅，就简单的说说比较常见的一些操作指令，来设置iptables对IP包的处理。

 [root@CloudGame mytool]# iptables -L --line-numbers　　　　#查看一个chain或者所有chain的rule。默认查看的是filter表，你也可以指定表，如：iptables -L -t nat
 Chain INPUT (policy ACCEPT)
 num  target     prot opt source               destination
     ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
     ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
     ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
     ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps 

 Chain FORWARD (policy ACCEPT)
 num  target     prot opt source               destination
     ACCEPT     all  --  anywhere             localhost/        state RELATED,ESTABLISHED
     ACCEPT     all  --  localhost/         anywhere
     ACCEPT     all  --  anywhere             anywhere
     REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
     REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
     DOCKER     all  --  anywhere             anywhere
     ACCEPT     all  --  anywhere             anywhere            ctstate RELATED,ESTABLISHED
     ACCEPT     all  --  anywhere             anywhere
     ACCEPT     all  --  anywhere             anywhere            

 Chain OUTPUT (policy ACCEPT)
 num  target     prot opt source               destination         

 Chain DOCKER ( references)
 num  target     prot opt source               destination

会看到上面的日志显示的信息中，最后一列没有名字。其实，这一列对应的就是iptables的-m选项的信息，即connection tracking，相关信息很多，可以google之。较常用的是-m tcp, -m state等等之类。

下面是一个给NAT表添加一个DNAT目标的规则：

 [root@CloudGame mytool]# iptables -t nat -A PREROUTING -p tcp -d 202.45.23.67 --dport  -j DNAT --to-destination 192.168.1.1-192.168.1.10
 [root@CloudGame mytool]# iptables -t nat -L
 Chain PREROUTING (policy ACCEPT)
 target     prot opt source               destination
 DOCKER     all  --  anywhere             anywhere            ADDRTYPE match dst-type LOCAL
 DNAT       tcp  --  anywhere             202.45.23.67        tcp dpt:http to:192.168.1.1-192.168.1.10 

上面这个操作，实现的是NAT（网络地址转换），将从internet上的IP包目的地址为202.45.23.67，目的端口号为80的包，进行地址转换，转成目的地址为192.168.1.1至10的机器，随机转。这个可以用在负载均衡上哟，一种解决方案。对应的SNAT，是完成从源端地址向目标地址转换的过程，比如，从内网的192.168.1.1的IP转为防火墙的内部IP地址。这里有地址映射过程。

 [root@CloudGame mytool]#  iptables -t nat -A POSTROUTING -p tcp --dst 192.168.1.1 --dport  -j SNAT  --to-source 192.168.1.21
 [root@CloudGame mytool]# iptables -t nat -L
 Chain PREROUTING (policy ACCEPT)
 target     prot opt source               destination
 DOCKER     all  --  anywhere             anywhere            ADDRTYPE match dst-type LOCAL
 DNAT       tcp  --  anywhere             202.45.23.67        tcp dpt:http to:192.168.1.1-192.168.1.10 

 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination         

 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination
 DOCKER     all  --  anywhere            !loopback/          ADDRTYPE match dst-type LOCAL 

 Chain POSTROUTING (policy ACCEPT)
 target     prot opt source               destination
 MASQUERADE  tcp  --  localhost/        !localhost/        masq ports: -
 MASQUERADE  udp  --  localhost/        !localhost/        masq ports: -
 MASQUERADE  all  --  localhost/        !localhost/
 MASQUERADE  all  --  localhost/         anywhere
 SNAT       tcp  --  anywhere             localhost           tcp dpt:http to:192.168.1.21

Appendix部分，我附上一些关于iptables的基本命令手册 的信息：

A1. 命令的基本格式：

iptables [ -t 表名] 命令选项 [链名] [条件匹配] [-j 目标动作或跳转] 

A2.命令的选项参数：

选项名	功能及特点
-A	在指定链的末尾添加（--append）一条新的规则
-D	删除（--delete）指定链中的某一条规则，按规则序号或内容确定要删除的规则
-I	在指定链中插入（--insert）一条新的规则，默认在链的开头插入
-R	修改、替换（--replace）指定链中的一条规则，按规则序号或内容确定
-L	列出（--list）指定链中的所有的规则进行查看，默认列出表中所有链的内容
-F	清空（--flush）指定链中的所有规则，默认清空表中所有链的内容
-N	新建（--new-chain）一条用户自己定义的规则链
-X	删除指定表中用户自定义的规则链（--delete-chain）
-P	设置指定链的默认策略（--policy）
-n	用数字形式（--numeric）显示输出结果，若显示主机的 IP地址而不是主机名
-P	设置指定链的默认策略（--policy）
-v	查看规则列表时显示详细（--verbose）的信息
-V	查看iptables命令工具的版本（--Version）信息
-h	查看命令帮助信息（--help）
--line-number	查看规则列表时，同时显示规则在链中的顺序号

A3.条件匹配

条件匹配分为基本匹配和扩展匹配，拓展匹配又分为隐式扩展和显示扩展。这些条件是用于给iptables添加规则的时候提供更加具体的匹配条件，便于精确的操作数据包的流向和去留。

a)基本匹配包括

匹配参数	说明
-p	指定规则协议，如tcp, udp,icmp等，可以使用all来指定所有协议
-s	指定数据包的源地址参数，可以使IP地址、网络地址、主机名
-d	指定目的地址
-i	输入接口
-o	输出接口

b)隐式扩展包括

c)显式扩展

更深的东西，继续研究中，期待交流和拍砖！