iptables firewall software / netfilter concept papers (a)

Others 2019-08-11 02:27:43 views: null

table of Contents

Brief introduction

When talking about the firewall, iptables have to say is, try this article easy to understand the concepts described iptables, please patiently read.

Firewall classification and description

Logically firewall host firewall and network firewall into two categories.

  • Host Firewall: for protection against a single host;
  • Network Firewall: often in a web portal or edge, for protection in the LAN for local web portal to serve behind the firewall.

Network firewall and host firewall are not in conflict, can be understood as a network firewall is to prevent collective, host firewall is to prevent the individual.

Physically, the firewall can be divided into hardware and software firewalls.

  • Hardware firewalls: to achieve some firewall functionality at the hardware level, another part of the functions of software-based, high-performance, high-cost.

  • Firewall software: software processing logic to run applications on a common hardware platform for firewall, low performance and low cost.
    Now let's talk about the linux iptables old.

    What is netfilter and iptables

    The point is simple:
  • netfilter refer to the entire project, otherwise it will not be called the official website of the www.netfilter.org.
  • especially netfilter framework netfilter kernel, iptables user space refers to the configuration tool.
  • netfilter added in the protocol stack five hooks, allows the kernel module callback function is registered in the hooks place, so that after the hook all packets will be registered functions on the respective hooks being treated, including modification of packet contents, the data marking packets lost packets or the like.
  • netfilter framework is responsible for maintaining registration on the hook handler or modules, as well as their priority.
  • iptables is a user space program, dealing with netlink by netfilter framework and kernel configuration is responsible to the hook callback function.

  • Other netfilter framework is responsible for dynamically loaded kernel modules when needed, such as ip_conntrack, nf_conntrack, NAT subsystem like.

Summary: iptables work in user space, it is a command-line tool that we use this tool to manipulate the real framework, netfilter work in kernel module.

netfilter hook

In the kernel stack, there are five associated with the netfilter hook, the packet passes through each hook will have to check whether the above registration function, if any, will call the appropriate functions to process packets, see their location The following figure:

  • NF_IP_PRE_ROUTING: receiving data packets just come in, it has not been routing that do not know the packet is to be sent to the machine or other machines.
  • NF_IP_LOCAL_IN: routing the process flow has passed, and an object of the IP packet is native, into the local data packet.
  • NF_IP_FORWARD: routing has elapsed, but the purpose of the IP packet is not the machine, but other machines, into the forward flow.
  • NF_IP_LOCAL_OUT: local program to be issued to the IP layer packet arrived, no routing.
  • NF_IP_POST_ROUTING: Local program sent out packets, or forward (forward) packet routing has elapsed, about to be brought lower sent.

According to the figure, we can imagine some common scenarios, the flow of data packets:

  • The machine object of the received IP packets are machine: NF_IP_PRE_ROUTING -> NF_IP_LOCAL_IN
  • The machine object of the received IP packet is not native: NF_IP_PRE_ROUTING -> NF_IP_FORWARD -> NF_IP_POST_ROUTING
  • The machine issued to the packet: NF_IP_LOCAL_OUT -> NF_IP_POST_ROUTING
注意: netfilter所有的钩子都是在内核协议栈的ip层,由于ipv4和ipv6用的是不同的ip层代码,所以iptables配置的rules只会影响ipv4的数据包,而ipv6相关的配置需要使用ip6tables。

iptables tables

iptables用表来管理它的rule,根据rule的作用分成了好几张表,比如用来过滤数据包的filter表,用于处理地址转换的rule就会放到nat表中,如果我们自己在开发权限的时候,因为这个不需要跟用户挂钩,所以大家理解为根据不同的功能将权限给划分到不同的表里面,如果要配置某个权限就需要操作那张表是一个道理,其中rule就是应用在netfilter钩子上的函数,用来修改或者过滤数据包。目前iptables支持的表如表所示:

表名 用途
filter 这个表里面的规则主要用来过滤数据,用来控制让那些数据可以通过,那些数据不可以通过
nat 这个表里面的rule是用来处理网络地址转换的,控制要不要进行地址转换,以及怎样修改源地址和目标地址,从容影响数据包的路由
mangle 主要用来修改ip数据包头,比如修改ttl值,同时也用于给数据包添加一些标记,从而便于其它模块对数据进行处理
raw 在netfilter里面有一个叫做connection tracking的功能(后面会介绍到),主要用来追踪所有的连接,而raw表里的rule的功能是给数据包打标记,从而控制哪些数据包不被connection tracking所追踪。
security 里面的rule跟SELinux有关,主要是在数据包上设置一些SELinux的标记,便于跟SELinux相关的模块来处理该数据包。

chains

上面我们说根据不同的功能将rule放到了不同的表里面之后,这些rule会注册到哪些钩子上呢?于是iptables将表中的rule继续分类,让rule属于不同的链(chain),由chain来决定什么时候触发chain上的这些rule。
iptables里面有5个内置的chains,分别对应5个钩子:

  • PREROUTING: 数据包经过NF_IP_PRE_ROUTING时会触发该chain上的rule.
  • INPUT: 数据包经过NF_IP_LOCAL_IN时会触发该chain上的rule.
  • FORWARD: 数据包经过NF_IP_FORWARD时会触发该chain上的rule.
  • OUTPUT: 数据包经过NF_IP_LOCAL_OUT时会触发该chain上的rule.
  • POSTROUTING: 数据包经过NF_IP_POST_ROUTING时会触发该chain上的rule.

每个表里面都可以包含多个chains,但并不是每个表都能包含所有的chains,因为某些表在某些chain上没有意义或者有些多余,比如说raw表,它只有在connection tracking之前才有意义,所以它里面包含connection tracking之后的chain就没有意义。(connection tracking的位置会在后面介绍到)

多个表里面可以包含同样的chain,比如在filter和raw表里面,都有OUTPUT chain,那应该先执行哪个表的OUTPUT chain呢?这就涉及到后面会介绍的优先级的问题。

提示:可以通过命令iptables -L -t nat|grep policy|grep Chain查看到nat表所支持的chain,其它的表也可以用类似的方式查看到,比如修改nat为raw即可看到raw表所支持的chain。

表链关系

根据上文提到的每个表里面都会有不同的链,不是每个链里面都会有所有的表,我们做下归类:

chain名 表名
prerouting raw,mangle,nat
input mangle,filter
forword mangle,filter
output raw,nat,filter
postrouting mangle,nat

但是,我们在实际使用过程中,往往是通过表作为操作入口,对规则进行定义,所以我们将表与链的关系罗列出来。
raw prerouting,output
mangle prerouting,input,forward,output,postrouting
nat prerouting,output,postrouting
filter input,forward,output

其实我们还需要注意,数据包经过一个链的时候会把所有的规则都执行一遍,所以需要一个优先级问题。关于优先级的定义如下图所示:

通过上图,我们已经知道了表中的规则可以被那些链使用,下面我们做下归纳总结,因为后面我们操作都是通过操作表来操作规则的。
| 表 |链 |
| --- | --- |
| raw |prerouting,output |
|mangle |prerouting,input,forward,output,postrouting |
|nat |prerouting,output,postrouting |
|filter |input,forward,output |

iptables中的规则

rule就是特定表的特定chain上,每条rule包含如下两部分信息

Matching

Matching就是如何匹配一个数据包,匹配条件很多,比如协议类型、源/目的IP、源/目的端口、in/out接口、包头里面的数据以及连接状态等,这些条件可以任意组合从而实现复杂情况下的匹配。详情请参考Iptables matches

targets

tartets就是找到匹配的数据包之后怎么办,常见的有如下四种:

  • drop:直接将数据包丢弃,不在进行后续的处理
  • reject:拒绝数据包通过,必要时会给数据发送一个响应的信息,
  • accept:允许数据包通过。
  • snat: 源地址转换,解决内网用户用同一个公网地址上网问题
  • masquerade:是snat的一种特殊形式,适用于动态的、临时会变的ip上
  • dnat: 目标地址转换
  • redirect: 在本机做端口映射

当然iptables包含的targets很多很多,但并不是每个表都支持所有的targets,
rule所支持的target由它所在的表和chain以及所开启的扩展功能来决定,具体每个表支持的targets请参考Iptables targets and jumps。

Guess you like

Origin www.cnblogs.com/chenxiba/p/11332545.html
Recommended
Ranking
How to make the url of the picture have the download attribute and force the download. Jump browser to download automatically.
Lr CC 8.3 Installation Guide
MD5Utils (MD5 encryption tools! Unsalted)
Econ 325 (004)
Photo studio photography appointment app based on java SpringBoot and Vue uniapp
What is b
2017 Second Guangdong strong network Cup online game --Nonstandard
myeclipse8.5 add tomact7
mpeg1, mpeg2 and mpeg4 standard comparative analysis and summary
Tencent sub-sub-group 6-color program
Daily
More
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)
2024-04-16(23)

Code World

© 2018 codetd.com