iptables
ルールセットを定義できる汎用Linuxシステムのファイアウォール。 netfilter projectによって開発されている。IP テーブル内の各ルールは、多数の分類子 (iptables matches) と 1 つの接続されたアクション (iptables target) で構成される。
https://oxynotes.com/?p=6361
filterテーブルを用いてパケットを通したい
https://wiki.archlinux.jp/index.php/Iptables
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.
Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a 'target', which may be a jump to a user-defined chain in the same table.
iptableはパケットフィルタリング型のファイアウォール
iptablesのテーブル
用途別に5つのテーブルがあり、それぞれのテーブルにはビルトインのチェインと、ユーザー定義のチェインがある。filterとnatは特に便利。
filter
This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).
-t オプションが指定されないときに表示される既定のテーブル。
ビルトインチェインを持つ。
INPUT
FORWARD
OUTPUT
nat
This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out).
アドレス変換
ビルトインチェインを持つ。
PREROUTING
OUTPUT
POSTROUTING
mangle
security
raw
https://www.frozentux.net/iptables-tutorial/images/tables_traverse.jpg
ターゲットについて
Targets
A firewall rule specifies criteria for a packet, and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values ACCEPT, DROP, QUEUE, or RETURN.
ユーザー定義のチェインか、以下の4つの特殊な値。
ACCEPT
DROP
QUEUE
RETURN
ACCEPT means to let the packet through. DROP means to drop the packet on the floor. QUEUE means to pass the packet to userspace. (How the packet can be received by a userspace process differs by the particular queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the ip_queue queue handler. Kernels 2.6.14 and later additionally include the nfnetlink_queue queue handler. Packets with a target of QUEUE will be sent to queue number '0' in this case. Please also see the NFQUEUE target as described later in this man page.) RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.
基本的な使い方
確認
code:plain
iptables -n -v -L
ip6tables-apply
リロードする
Reloading iptables
code:plain
iptables-restore < /etc/iptables/rules.v4