Wiki

User Tools

Site Tools

Trace:
ubuntu:iptables:about_ip_tables

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

ubuntu:iptables:about_ip_tables [2025/06/02 10:32] – created peterubuntu:iptables:about_ip_tables [2025/06/02 10:42] (current) peter
Line 49: Line 49:
 </WRAP> </WRAP>
  
-----     +----
  
-===== Different Tables =====+===== iptables Tables =====
  
-  * **mangle**used to modify or mark packetsMark is on the [[https://docs.kernel.org/networking/skbuff.html|skbuf]] and not on the packet itself+iptables tables represent distinct sets of rules, organized by area of concern, for evaluating packets. 
-  * **filter**: Do not modify trafficMostly used for firewalling+ 
-  * **nat**+^Table^Description^ 
-  * **raw**used to help skip conntrack.+|Filter|The filter table filters packets.| 
 +|:::|Used to make decisions about whether to let a packet continue to its intended destination or to deny its request.| 
 +|:::|This table provides the bulk of functionality that people think of when discussing firewalls.
 +|NAT|Implements network address translation rules.| 
 +|:::|As packets enter the network stack, rules in this table will determine whether and how to modify the source or destination addresses of the packet in order to impact the way that the packet and any response traffic are routed.| 
 +|:::|This is often used to route packets to networks when direct access is not possible.| 
 +|Mangle|Used to alter the IP headers of the packet in various ways.| 
 +|:::|For instance, you can adjust the TTL (Time to Live) value of a packet, either lengthening or shortening the number of valid network hops the packet can sustain.| 
 +|:::|Other IP headers can be altered in similar ways.| 
 +|:::|This table can also place an internal kernel **"mark"** on the packet for further processing in other tables and by other networking tools.| 
 +|:::|This mark does not touch the actual packet, but adds the mark to the kernels representation of the packet.
 +|Raw|The iptables firewall is stateful, meaning that packets are evaluated in regards to their relation to previous packets.| 
 +|:::|The connection tracking features built on top of the netfilter framework allow iptables to view packets as part of an ongoing connection or session instead of as a stream of discrete, unrelated packets.| 
 +|:::|The connection tracking logic is usually applied very soon after the packet hits the network interface.| 
 +|:::|The raw table has a very narrowly defined function - Its only purpose is to provide a mechanism for marking packets in order to opt-out of connection tracking.
 +|Security|Used to set internal SELinux security context marks on packets, which will affect how SELinux or other systems that can interpret SELinux security contexts handle the packets.| 
 +|:::|These marks can be applied on a per-packet or per-connection basis.|
  
 ---- ----
ubuntu/iptables/about_ip_tables.txt · Last modified: 2025/06/02 10:42 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki