Tables
The filter table is, of course, mainly used for filtering
packets. We can match packets and filter them in whatever
way we want. There is nothing special to this chain or to
packets that might slip through because they are malformed,
etc. This is the place that we actually take action against
packets and look at what they contain and DROP, REJECT or
ACCEPT them, depending on their payload. Of course we may
also do prior filtering; however, this particular table, is
the place for which filtering was designed. Almost all targets
are usable in this chain; however do keep in mind that the
targets discusses previously earlier too, however, this is
the place that was designed for it. You now know that this
table is the right place to do your main filtering.
This table should only be used for NAT (Network Address
Translation) on different packets. In other words, it should
only be used to translate the packet's source field or destination
field. Note that, as we have said before, only the first packet
in a stream will hit this chain. After this, the rest of the
packets will automatically have the same action taken on them
as the first packet. The actual targets that do these kind
of things are:
 DNAT
SNAT
MASQUERADE
The DNAT (Destination Network Address Translation)
target is mainly used in cases where you a public IP and want
to redirect accesses to the firewall to some other host (on
a DMZ for example). In other words, we change the destination
address of the packet and reroute it to the host.
SNAT (Source Network Address Translation)
is mainly used for changing the source address of packets.
For the most part you'll hide your local networks or DMZ,
etc. A very good example would be that of a firewall of which
we know outside IP address, but need to substitute our local
network's IP numbers whit that of our firewall. With this
target the firewall will automatically SNAT and De-SNAT the
packets, hence making it possible to make connections from
the LAN to the Internet. If you're network uses 192.168.0.0/netmask
for example, the packets would never get back from the Internet,
because IANA has regulated these networks (amongst others)
as private and only for use in isolated LANs.
The MASQUERADE target
is used in exactly the same way as SNAT, but the MASQUERADE
target takes a little bit more overhead to compute. The reason
for this, is that each time that the MASQUERADE target gets
hit by a packet, it automatically checks for the IP address
to use, instead of doing as the SNAT target does - just using
the single configured IP address. The MASQUERADE target makes
it possible to work properly with Dynamic DHCP IP addresses
that your ISP might provide for your PPP, PPPoE or SLIP connections
to the internet.
This table should as we've already noted mainly be used
for mangling packets. In other words, you may freely use the
mangle matches etc that could be used to change TOS (Type
Of Service) fields and so on.
 You
are strongly advised not to use this table for any filtering;
nor will any DNAT, SNAT or Masquerading work in this table.
Targets that are only valid in the mangle table:
TOS
The TOS target is used
to set and/or change the Type of Service field in the packet.
This could be used for setting up policies on the network
regarding how a packet should be routed and so on. Note that
this has not been perfected and is not really implemented
on the internet and most of the routers don't care about the
value in this field, and sometimes, they act faulty on what
they get. Don't set this in other words for packets going
to the Internet unless you want to make routing decisions
on it, with iproute2.
|
ontact Details: