This article directory
iptables, netfilter, iproute2, ip, tc, these are some concepts that are often confused by novices when discussing Linux firewall and QOS construction.
1、 iptables/netfilter
Usually put together, it is used to build a Linux firewall, or to act as a proxy server, or to filter, classify, forward, discard, reject, and receive incoming and outgoing Linux packets. netfilter is the packet filtering framework that comes with the Linux kernel (note that all hooks of netfilter are in the IP layer of the kernel protocol stack ), and iptables is a program for Linux users to operate and configure netfilter. We can simply understand iptables as the front end of netfilter. iptables can tell the Linux kernel how to operate on the packets entering, passing and leaving Linux.
1.1、iptables
Iptables is the front end of netfilter, and iptables is a program based on the command line for Linux users to operate and configure netfilter. It mainly provides the following three functions.
- Display the current packet filtering rules
- Add, delete, and modify packet filtering rules
- Display or reset the hit counters of packet filtering rules
1.2, netfilter ------ work in the IP layer of the protocol stack
netfilter is the packet filtering framework that comes with the Linux kernel (as shown in the figure above, it can be seen that netfilter only works on the IP layer of the kernel protocol stack , so netfilter can only process IP packets), according to the rules told by Linux users to the Linux kernel, the incoming , to operate on packets passing through and leaving Linux. netfilter is a three-tier structure: netfilter–tables–chains–rules (classifiers+action). It mainly includes the following five tables. Each table contains 1-5 chains, which is commonly referred to as "4 tables and 5 chains" (in fact, a security table was added later, which has become "5 tables and 5 chains"), as shown in the following figure:
- Generally speaking, netfilter includes five tables by default: raw table, filter table, nat table, mangle table, and security .
- Each table contains one or more chains (including five built-in chains of INPUT, FORWARD, OUTPUT, PREROUTING, and POSTROUTING , which table contains which chains are shown in the figure below), and a chain is a collection of rules.
- Rule refers to each rule that filters, identifies and processes specified packets
- Each rule consists of one or more message classifiers and a corresponding action
1.2.1、raw table
This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes). So this table has the highest priority, and its main function is to configure some packets or some flows without connection tracking. Contains two rule chains, OUTPUT (prepared for the IP message to be sent out by the machine), PREROUTING (prepared for the incoming IP message).
1.2.2、mangle table
This table is used for Specialized Packet Alteatory. Untilla Kernel 2.4.17 It had two two built-in chains: ProRouTing (for AlTay Incoming Packets Before Routing) A nd output (for altering locally-geenerated packets beforeuting). Three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out). The
table The main function is to modify the content of the data packet, perform traffic shaping, and set the flag for the data packet. Contains five rule chains, INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING.
1.2.3、nat table
This table is consulted when a packet that creates a new connection is encountered. It consists of four built-ins: PREROUTING (for altering packets as soon as they come in), INPUT (for altering packets destined for local sockets), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). IPv6 NAT support is available since kernel 3.7. Responsible for network address
translation, used to modify the source and destination IP addresses in the data packets or port. Contains four rule chains, PREROUTING, INPUT, OUTPUT, POSTROUTING.
1.2.4、filter table
This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).
Responsible for filtering packets and deciding whether to release packets (filtering). Contains three rule chains, INPUT, FORWARD, OUTPUT.
1.2.5、security table
This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets. Mandatory Access Control is implemented by Linux Security Modules such as SELinux. The security table is called after the filter table, allowing any Discretionary Access Control (DAC) rules in the filter table to take effect before MAC rules. This table provides the following built-in chains: INPUT (for packets coming into the box itself), OUTPUT (for altering locally-generated packets before routing) , and FORWARD (for altering packets being routed through the box).
This table is mainly related to the Linux security module SELinux. We will not discuss this table in the following articles and will skip it. It includes three chains of INPUT, OUTPUT and FORWARD.
1.3. The overall process of IP packet processing in netfilter
PRE_ROUTING, INPUT, OUT_PUT, FORWARD, and POST_ROUTING are the five hook points of netfilter in the kernel protocol stack. We can see that PRE_ROUTING is to look up the routing table in the kernel protocol stack and make routing decisions on received IP packets. Before, POST_ROUTING is after the kernel protocol stack looks up the routing table and makes a routing decision on the outgoing IP packet processing.
For the detailed processing sequence and flow chart of IP packets in each chain of each table, see:
the sequence shown in the above figure, enters different chains of different tables for processing in turn, and the following picture comes from the very clear link Describes the flow sequence of all chains in all tables in a message from receipt to sending (unfortunately, the raw table is not included).
2、 iproute2
It mainly includes two tools, ip and tc. The ip tool is used to define the IP network configuration and routing configuration of Linux; the tc tool is used to define the QOS of packets entering and leaving Linux, including data flow classification, routing, speed limit, delay, etc. wait. As shown in the figure below, netfilter works in the IP protocol stack in the figure below, and tc works in the network interface layer, mainly through the qdisc framework to process packets, so it works after the network card receives the packet and then enters the TCP/IP protocol of Linux Ingress qdisc before the stack (or egress qdisc before the network card sends packets after leaving the Linux TCP/IP protocol stack).
The picture below is from the netfilter official website (if you need a high-resolution picture, you can private message the blogger), for reference.
2.1、 ip
ip is one of the tools provided by iproute2. It is mainly used to replace the "ifconfig, arp, route and netstat" commands in the old net-tools tool chain to configure and view the network layer of Linux. The following form is an example
| net-tools original command | iproute2 ip tool command | effect |
|---|---|---|
| route -n | ip route show | view routing table |
| route add | ip route add | Add routing table entry |
| route del | ip route del | delete routing table entry |
| ifconfig -a | ip addr show | View network card information |
| arp -a | ip neighbo | view arp list |
| netstat -l | ss -l | view arp list |
Note: ss (socket statistics) is also a tool of iproute2
2.2, tc (traffic control) ------ work on the network interface layer, after XDP, before netfilter
The tc (traffic control) framework is in the network protocol stack of the kernel. After XDP and before netfilter, the tc framework controls, classifies, distributes, discards and other operations on network data packets. tc can handle outgoing data packets (egress), and can also process incoming packets (ingress). The tc tool refers to the command line tool used by users to configure and modify qdisc/class/filter. For specific usage, see iproute2 and flow control (ip and tc tools)—iproute2/ip/tc/qdisc realizes QoS control under Linux
2.3、qdisc/class/filter
The tc (traffic control) framework implements packet processing through qdisc/class/filter in the network protocol stack of the kernel. See iproute2 and flow control ( ip and tc tools) for specific principles and principles—iproute2/ip/tc/qdisc implements Linux QoS control under