To better understand RouterOS firewall, specially for everyone to mend scientific knowledge, ROS firewall, in fact, the operation is iptables, but also for the four Table V chain. This article teaches you quickly understand ROS firewall, read the iptables will know what is the principle.
Table V as follows four chain.
Table 1. Four:
Raw table - close the connection tracking mechanism. Used in the prerouting, output chain.
Mangle table - disassemble packets, packet analysis, modify the message. Used in the prerouting, input, forward, output, postrouting link.
Nat Table - network address translation used in the prerouting, output, postrouting link.
Filter table - responsible for filtering used in the input, forward, output link.
Each table Priority:
Raw—>Mangle—>Nat—>Filter
2. pentachain
This rule chain strategy A.input-- incoming packet applications
(After the first packet routing)
B.output
- This rule chain strategy outgoing data packets application
(After a second data packet routing)
C.forward
- this rule in the chain policy is applied when forwarding packets
(After the first packet routing)
D.prerouting
- the incoming packet prior to routing rules apply for the chain (all data without any further routing packets coming at the right time are processed first by the chain)
E.postrouting
- to go out for a packet routing rules after you apply this chain (after all of the data all of the routing of packets out at the right time are processed first by the chain)
Figure V look chain:
Some people may ask, why should it determine the route twice?
In fact, the route is to determine the data come from where to go, or not to sell the router to work, so to understand:
A. destination IP router, but it does not require the data processing core, such as the internal network within the network, as long as it is determined through a spread out in a straight line.
B. destination IP router, and the core data processing needs, such as the public network, public network internal network, to be processed Guaige Wan. Because the process involves modifying the IP data.
Therefore, the first shot is determined whether the router to process the second to decide which interface (gateway) after completion of the above transmission data modifying the IP. Gradually understand, do not worry.
Then there is the relationship diagram ROS with chains, and tell you where the chain can be processed.
Still it looks bored, so how to choose the appropriate chain of processing rules?
Pentachain can quickly understand this:
A .-- router processing incoming packets. (Destination IP on the router)
B.output-- out from the router processing data packets.
C.forward-- packet source and destination IP of the router is not on.
D.prerouting-- incoming packets out of router interface.
E.postrouting-- router packet data sent out from the interface.
This way it is well understood.
RouterOS Firewall is more than a general process.
3. The rules of how to deal with
Any data through a router will be processed through the chain, we configure where appropriate rule, matches, and can be handled accordingly.
So how to select the appropriate link to configure the configuration of the processing operation there those who do? The next section describes how we start each table is set under ROS firewall rules.