[root@hf-01 ~]# man iptables
查看五个表
filter:
This is the default table (if no -t option is passed). It contains
the built-in chains INPUT (for packets destined to local sockets),
FORWARD (for packets being routed through the box), and OUTPUT (for
locally-generated packets).
nat:
This table is consulted when a packet that creates a new connection
is encountered. It consists of three built-ins: PREROUTING (for
altering packets as soon as they come in), OUTPUT (for altering
locally-generated packets before routing), and POSTROUTING (for
altering packets as they are about to go out). IPv6 NAT support is
available since kernel 3.7.
mangle:
This table is used for specialized packet alteration. Until kernel
2.4.17 it had two built-in chains: PREROUTING (for altering incom‐
ing packets before routing) and OUTPUT (for altering locally-gener‐
ated packets before routing). Since kernel 2.4.18, three other
built-in chains are also supported: INPUT (for packets coming into
the box itself), FORWARD (for altering packets being routed through
the box), and POSTROUTING (for altering packets as they are about
to go out).
raw:
This table is used mainly for configuring exemptions from connec‐
tion tracking in combination with the NOTRACK target. It registers
at the netfilter hooks with higher priority and is thus called
before ip_conntrack, or any other IP tables. It provides the fol‐
lowing built-in chains: PREROUTING (for packets arriving via any
network interface) OUTPUT (for packets generated by local pro‐
cesses)
security:
This table is used for Mandatory Access Control (MAC) networking
rules, such as those enabled by the SECMARK and CONNSECMARK tar‐
gets. Mandatory Access Control is implemented by Linux Security
Modules such as SELinux. The security table is called after the
filter table, allowing any Discretionary Access Control (DAC) rules
in the filter table to take effect before MAC rules. This table
provides the following built-in chains: INPUT (for packets coming
into the box itself), OUTPUT (for altering locally-generated pack‐
ets before routing), and FORWARD (for altering packets being routed
through the box).