As an important function in the Linux kernel, iptables has a wide range of applications. By default, iptables is used for transparent traffic hijacking in Istio. Understanding iptables is very important for us to understand the operation of Istio. This article will give you a brief introduction to iptbles.
Introduction to iptables
iptables is a management tool for the firewall software netfilter in the Linux kernel, located in the user space, and is also a part of netfilter. Netfilter is located in the kernel space. It not only has the function of network address translation, but also has firewall functions such as packet content modification and packet filtering.
Before understanding the iptables initialized by the Init container, let’s first understand the iptables and rule configuration.
The figure below shows the iptables call chain.
iptables call chain
Tables in iptables
The iptables version used in the Init container is v1.6.0 , which contains 5 tables:
-
rawis used to configure data packets, and the data packets inrawwill not be tracked by the system. -
filteris the default table used to store all firewall-related operations. -
natfor network address translation
(eg: port forwarding). -
mangleis used for modifications to specific packets (refer to damaged packets
). -
securityis used to enforce access control
network rules.
Note : Only the nat table is used in this example.
The types of chains available in different tables are shown in the following table:
| rule name | raw | filter | nat | mangle | security |
|---|---|---|---|---|---|
| PREROUTING | ✓ | ✓ | ✓ | ||
| INPUT | ✓ | ✓ | ✓ | ✓ | |
| OUTPUT | ✓ | ✓ | ✓ | ✓ | |
| POSTROUTING | ✓ | ✓ | |||
| FORWARD | ✓ | ✓ | ✓ | ✓ |
Understanding iptables rules
View the default iptables rules in the istio-proxy container, and the rules in the filter table are viewed by default.
$ iptables -L -v Chain INPUT ( policy ACCEPT 350K packets, 63M bytes ) pkts bytes target prot opt in out source destination Chain FORWARD ( policy ACCEPT 0 packets, 0 bytes ) pkts bytes target prot opt in out source destination Chain OUTPUT ( policy ACCEPT 18M packets, 1916M bytes ) pkts bytes target prot opt in out source destination
We see three default chains, INPUT, FORWARD, and OUTPUT, with the first line of output in each chain representing the chain name (INPUT/FORWARD/OUTPUT in this case) followed by the default policy (ACCEPT).
The following figure is the proposed structure diagram of iptables. After passing through the INPUT chain, the traffic enters the upper layer protocol stack, such as
Multiple rules can be added to each chain, and the rules are executed in order from front to back. Let’s take a look at the header definition of the rule.
- pkts : The number of matched packets processed
- bytes : cumulatively processed packet size (number of bytes)
- target : If the packet matches the rule, the specified target will be executed.
- prot : Protocol, such as
tdp,udp,icmp, andall. - opt : Rarely used, this column is used to display IP options.
- in : Inbound network card.
- out : Outbound network card.
- source : The source IP address or subnet of the traffic, or
anywhere. - destination : The destination IP address or subnet of the traffic, or
anywhere.
There is also a column without a header, which is displayed at the end, indicating the options of the rule, as the extended matching condition of the rule, which is used to supplement the configuration in the previous columns. prot , opt , in , out , source and destination together with a list of extended conditions without a header displayed after the destination form a matching rule. target is executed when traffic matches these rules.
Types supported by target
target types include ACCEPT 、REJECT , DROP , LOG , SNAT , MASQUERADE , DNAT , REDIRECT , RETURN or jump to other rules, etc. As long as a certain chain is executed, only one rule in sequence can match the destination of the message, except for the RETURN type, which is similar to the return statement in programming languages, returns to its calling point, and continues to execute the next rule. For details on the configuration supported by target , please refer to iptables detailed explanation (1): iptables concept
.
Summarize
The above is a brief introduction to iptables, you have understood how iptables works, the rule chain and its execution order.
This article is reprinted from https://jimmysong.io/blog/understanding-iptables/
This site is for inclusion only, and the copyright belongs to the original author.