本文目录
iptables,netfilter,iproute2,ip,tc,这几个是在讨论Linux防火墙和QOS构建时,新手通常容易混淆的几个概念。
1、 iptables/netfilter
通常放在一起说,用于构建Linux防火墙,或者说做代理服务器,或者说对进出Linux报文进行过滤,分类,转发,丢弃,拒绝,接收等处理。netfilter是Linux内核自带的报文过滤框架(注意netfilter的所有钩子(hooks)都是在内核协议栈的 IP 层),iptables则是Linux用户对netfilter进行操作与配置的程序。我们可以简单的把iptables理解为netfilter的前端。iptables可以告诉Linux内核,如何对进入,经过和离开Linux的报文进行操作。
1.1、iptables
iptables是netfilter的前端,iptables是一个基于命令行的Linux用户对netfilter进行操作与配置的程序。主要提供以下三大功能。
- 显示当前报文过滤规则
- 增加删修改报文过滤规则
- 显示或者重置报文过滤规则命中的计数器
1.2、netfilter------工作于协议栈IP层
netfilter是Linux内核自带的报文过滤框架(如上图,可见netfilter只工作于内核协议栈的IP层,所以netfilter只能对IP报文进行处理),按照Linux用户告诉Linux内核的规则,对进入,经过和离开Linux的报文进行操作。netfilter是一个三层结构:netfilter–tables–chains–rules(classifiers+action)。主要包含以下五个tables。每个table包含1-5条chains,这就是通常所说的“4表5链”(实际上后续又增加了security table, 已经变成“5表5链”了)如下图所示:
- 一般来说netfilter默认包含了: raw table, filter table, nat table和mangle table, security五个tables。
- 每个table下包含一个或者多个chains(包括INPUT、FORWARD、OUTPUT、PREROUTING、POSTROUTING这五条内置chains,具体哪个table包含哪些chains见下图), chain是一系列rules的集合。
- rule是指每一条对指定包进行过滤识别与处理方式的规则
- 每一条rule由一条或者多条报文classifiers和一条对应的action构成
1.2.1、raw table
This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes). 所以这个表具有最高的优先级,的主要作用是结合NOTRACK这种target来配置某些报文或者某些流不需要进行connection tracking。包含两个规则链,OUTPUT(为要本机产生发送出去的IP报文准备),PREROUTING(为进入的IP报文准备)。
1.2.2、mangle table
This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).
这个表的主要作用是修改数据包的内容,进行流量整形,并为数据包设置标志。包含五个规则链,INPUT、OUTPUT、FORWARD、PREROUTING、POSTROUTING。
1.2.3、nat table
This table is consulted when a packet that creates a new connection is encountered. It consists of four built-ins: PREROUTING (for altering packets as soon as they come in), INPUT(for altering packets destined for local sockets), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). IPv6 NAT support is available since kernel 3.7.
负责网络地址转换,用于修改数据包中的源和目的IP地址或端口。包含四个规则链,PREROUTING,INPUT, OUTPUT, POSTROUTING。
1.2.4、filter table
This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).
负责过滤数据包,决定是否释放数据包(过滤)。包含三个规则链,INPUT, FORWARD, OUTPUT 。
1.2.5、security table
This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets. Mandatory Access Control is implemented by Linux Security Modules such as SELinux. The security table is called after the filter table, allowing any Discretionary Access Control (DAC) rules in the filter table to take effect before MAC rules. This table provides the following built-in chains: INPUT (for packets coming into the box itself), OUTPUT (for altering locally-generated packets before routing), and FORWARD (for altering packets being routed through the box).
这个表主要是和Linux安全模块SELinux相关的,我们在后面的文章中都不讨论这个表格,会跳过它。它包括INPUT, OUTPUT和FORWARD三个chains。
1.3、IP数据包在netfilter里处理的总体流程
PRE_ROUTING, INPUT, OUT_PUT, FORWARD, POST_ROUTING就是netfilter在内核协议栈里的5个钩子(hook)点,我们可以见到PRE_ROUTING是在内核协议栈查找路由表并对收到的IP报文做路由决定处理前, POST_ROUTING则是在内核协议栈查找路由表并对发出的IP报文处理做路由决定后。
细化到IP报文在每个表格的每个chains里的处理顺序与流程图见:待更新
2、 iproute2
主要包括ip和tc二个工具,ip工具用于定义Linux的IP网络配置与路由配置;tc工具用于定义进出Linux的报文的QOS,包括比如数据流分类,路由,限速,延时等等。(待更新)
2.1、 ip
待更新
2.1、tc
待更新