''iptables'' is used for https://en.wikipedia.org/wiki/IPv4[IPv4] and ''ip6tables'' is used for ihttps://en.wikipedia.org/wiki/IPv6[IPv6]. Both ''iptables'' and ''ip6tables'' have the same syntax, but some options are specific to either IPv4 or IPv6.
**iptables** is used for https://en.wikipedia.org/wiki/IPv4[IPv4] and ''ip6tables'' is used for ihttps://en.wikipedia.org/wiki/IPv6[IPv6]. Both ''iptables'' and ''ip6tables'' have the same syntax, but some options are specific to either IPv4 or IPv6.
=== Installation
=== Installation
@ -113,14 +113,14 @@ iptables is the user utility which allows you to work with these chains/rules.
====
====
The key to understanding how iptables works is http://docs.swarmlab.io/lab/sec/tables_traverse.jpg[this chart].
The key to understanding how iptables works is http://docs.swarmlab.io/lab/sec/tables_traverse.jpg[this chart].
The lowercase word on top is the table and the upper case word below is the chain.
The lowercase word on top is the **table** and the upper case word below is the **chain**.
- Every IP packet that comes in **on any network interface** passes through this flow chart from top to bottom.
- Every IP packet that comes in **on any network interface** passes through this flow chart from top to bottom.
**All interfaces are handled the same way; it's up to you to define rules that treat them differently.**
**All interfaces are handled the same way; it's up to you to define rules that treat them differently.**
Of course some packets
Some packets
- are intended for local processes, hence come in from the top of the chart and stop at **Local Proces**,
- are intended for local processes, hence come in from the top of the chart and stop at **Local Proces**,
@ -285,13 +285,14 @@ Target extensions can be either **terminating** (as built-in targets) or **non-t
A network packet received on any interface traverses the traffic control chains of tables in the order shown in the http://docs.swarmlab.io/lab/sec/tables_traverse.jpg[this chart]
A network packet received on any interface traverses the traffic control chains of tables in the order shown in the http://docs.swarmlab.io/lab/sec/tables_traverse.jpg[this chart]
- The first routing decision involves deciding if the final destination of the packet is the local machine (in which case the packet traverses through the **INPUT chains**
- The first routing decision involves deciding if the final destination of the packet is the local machine (in which case the packet traverses through the **INPUT chains**
- or elsewhere (in which case the packet traverses through the **FORWARD}} chains**.
- or elsewhere (in which case the packet traverses through the **FORWARD chains**.
- Subsequent routing decisions involve deciding what interface to assign to an outgoing packet.
- Subsequent routing decisions involve deciding what interface to assign to an outgoing packet.
At each chain in the path, every rule in that chain is evaluated in order and whenever a rule matches, the corresponding target/jump action is executed.
At each chain in the path, every rule in that chain is evaluated in order and whenever a rule matches, the corresponding target/jump action is executed.
The 3 most commonly used targets are **ACCEPT**, **DROP**, and jump to a user-defined chain.
The 3 most commonly used targets are **ACCEPT**, **DROP**, and **jump** to a user-defined chain.
[NOTE]
[NOTE]
====
====
@ -299,7 +300,8 @@ While built-in chains can have default policies, user-defined chains can not.
====
====
- If every rule in a chain that you jumped fails to provide a complete match, the packet is dropped back into the calling chain as illustrated
- If every rule in a chain that you jumped fails to provide a complete match, the packet is dropped back into the calling chain as illustrated
- If at any time a complete match is achieved for a rule with a **DROP** target, the packet is dropped and no further processing is done.
- If at any time a complete match is achieved for a rule with a **DROP** target, the packet is dropped and no further processing is done.
- If a packet is **ACCEPT**ed within a chain, it will be **ACCEPT**ed in all superset chains also and it will not traverse any of the superset chains any further.
- If a packet is **ACCEPT**ed within a chain, it will be **ACCEPT**ed in all superset chains also and it will not traverse any of the superset chains any further.
test2
5 years ago
