详细讲解Linux系统Iptables规则执行顺序

核心提示：预备知识(转)： iptable有三种队列(表)规则，mangle queue，详细讲解Linux系统Iptables规则执行顺序， filter queue， nat queue，比如从执行过accept后就中断Filter队列内其它规则，跳到nat队列规则去执行 3， 1，The first is the mang

预备知识(转)： iptable有三种队列(表)规则，mangle queue， filter queue， nat queue。

1。The first is the mangle table which is responsible for the alteration of quality of service bits in the TCP header.

2。The second table is the filter queue which is responsible for packet filtering.

* Forward chain: Filters packets to servers protected by the firewall.

* Input chain: Filters packets destined for the firewall.

* Output chain: Filters packets originating from the firewall.

3。The third table is the nat queue which is responsible for network address translation. It has two built-in chains; these are:

* Pre-routing chain: NATs packets when the destination address of the packet needs to be changed.

* Post-routing chain: NATs packets when the source address of the packet needs to be changed

个人总结：

iptables执行规则时，是从从规则表中从上至下顺序执行的，如果没遇到匹配的规则，就一条一条往下执行，如果遇到匹配的规则后，那么就执行本规则，执行后根据本规则的动作(accept, reject, log等)，决定下一步执行的情况，后续执行一般有三种情况。

1。一种是继续执行当前规则队列内的下一条规则。比如执行过Filter队列内的LOG后，还会执行Filter队列内的下一条规则。

2。一种是中止当前规则队列的执行，转到下一条规则队列。比如从执行过accept后就中断Filter队列内其它规则，跳到nat队列规则去执行

3。一种是中止所有规则队列的执行。