10.13 netfilter5表5链介绍

[root@hf-01 ~]# man iptables

查看五个表
              filter:
                  This is the default table (if no -t option is passed). It  contains
                  the  built-in chains INPUT (for packets destined to local sockets),
                  FORWARD (for packets being routed through the box), and OUTPUT (for
                  locally-generated packets).

              nat:
                  This table is consulted when a packet that creates a new connection
                  is encountered.  It consists of three  built-ins:  PREROUTING  (for
                  altering  packets  as  soon  as they come in), OUTPUT (for altering
                  locally-generated packets before  routing),  and  POSTROUTING  (for
                  altering packets as they are about to go out).  IPv6 NAT support is
                  available since kernel 3.7.

              mangle:
                  This table is used for specialized packet alteration.  Until kernel
                  2.4.17  it had two built-in chains: PREROUTING (for altering incom‐
                  ing packets before routing) and OUTPUT (for altering locally-gener‐
                  ated  packets  before  routing).   Since kernel 2.4.18, three other
                  built-in chains are also supported: INPUT (for packets coming  into
                  the box itself), FORWARD (for altering packets being routed through
                  the box), and POSTROUTING (for altering packets as they  are  about
                  to go out).

              raw:
                  This  table  is used mainly for configuring exemptions from connec‐
                  tion tracking in combination with the NOTRACK target.  It registers
                  at  the  netfilter  hooks  with  higher priority and is thus called
                  before ip_conntrack, or any other IP tables.  It provides the  fol‐
                  lowing  built-in  chains:  PREROUTING (for packets arriving via any
                  network interface) OUTPUT (for  packets  generated  by  local  pro‐
                  cesses)

              security:
                  This  table  is  used for Mandatory Access Control (MAC) networking
                  rules, such as those enabled by the SECMARK  and  CONNSECMARK  tar‐
                  gets.   Mandatory  Access  Control is implemented by Linux Security
                  Modules such as SELinux.  The security table is  called  after  the
                  filter table, allowing any Discretionary Access Control (DAC) rules
                  in the filter table to take effect before MAC  rules.   This  table
                  provides  the  following built-in chains: INPUT (for packets coming
                  into the box itself), OUTPUT (for altering locally-generated  pack‐
                  ets before routing), and FORWARD (for altering packets being routed
                  through the box).