A, Netfilter
Netfilter is the Linux 2.4 kernel firewall framework proposed by Rusty Russell, the framework for both simple and flexible, enabling security policies in a number of functions such as packet filtering, packet processing, address masquerading, transparent proxy, dynamic Network Address Translation ( Network address Translation, NAT), and based on the user and a media access control (media access Control, MAC) address filtering and filtering based on the state of the packet rate limiting.
1, the key technology
Netfilter tracking mainly connection (Connection Tracking), packet filtering (Packet Filtering), address translation, packet processing (Packet Mangling) 4 Key Seed Production Techniques.
(1) line trace
line trace packet filtering, address translation basis, it runs as a separate module. Connection tracking using the lower layer in the protocol stack intercepts the packet, the current packet and the packet status information and status and history information are compared to obtain the control information of the current data packet, the information determined by the packet data network operation, to achieve the purpose of protecting the network.
When the initial connection to the lower-layer network receives synchronization (Synchronize, SYN) packets, the rule base is netfilter inspection. The packet will be compared in order, in a rule in the chain. If the packet should be discarded, it sends a reset (Reset, RST) packets to the remote host, or the connection receiver. The connection information will be stored in the connection tracking information table, and indicates that the packet should have a state. The line trace information table in the kernel mode, the network packet will be subsequently this connection the content of trace information table is compared to determine the operation based on the packet information table. Because packets with connection tracking information table compares only the SYN packet it is compared with the rule base, comparisons are carried out in kernel mode data packets and connection tracking information table, so fast.
(2) packet filtering
packet filtering checks the header of each packet through, and decide how to deal with them, either discarded, allowing the packet to pass, or a more complex operation.
(3) Address Translation
Into source network address translation NAT (Source NAT, SNAT) 2 different types and purposes of NAT (Destination NAT, DNAT). SNAT means to modify the source address of the packet (changes source IP connections). SNAT will do the conversion work at the last minute before packet transmission. Address Masquerading (Masquerading) is a specialized form of SNAT. DNAT refers modify the packet destination address (destination IP connection changes). DNAT conversion is always completed immediately after the packet enters. Port forwarding, load balancing and transparent proxy belong DNAT.
(4) the packet processing
using packet processing may be set or changed service packet type (Type of Service, TOS) field; change survival packet (Time to Live, TTL) field; set flag value in the packet by the flag value can limit the bandwidth and classified information.
2, Netfilter defines five to Ipv4 hook function, these hook function in the data flow through the protocol stack reported five key points is called, that is, the IPv4 protocol stack defines five "allow fishing spots." In each "fishing spots", can make netfilter place a "hook" after the network packet (Packet) to catch up, compared with the corresponding rules chain, according to results of the review and decide the fate of the next package that is intact back IPv4 protocol stack, continue to submit to the upper layer; or through some changes, and then back into the network; or simply discarded.
(1) through the processes of the data packets HOOK follows:
data packets from after entering the system, the IP check, first through a first processing NF_IP_PRE_ROUTING HOOK function;
then proceeds to route the code, which determines the datagram is to be forwarded or sent to the machine;
If the data packet is sent by the machine, then the data is subjected to processing after HOOK function NF_IP_LOCAL_IN then passed to the upper protocol;
if the data packet should be forwarded NF_IP_FORWARD it is processed;
through forwarded data packets after a HOOK function NF_IP_POST_ROUTING after the last treatment, and then transmitted to the network.
Locally generated data HOOK function NF_IP_LOCAL_OUT after treatment, a routing processing, and then transmitted after NF_IP_POST_ROUTING treatment.
(2) Each hook function must eventually return the following to one of several values on Netfilter:
(2.1) NF_ACCEPT continue normal datagram transmission. The return value tells Netfilter: So far, the packet is accepted and the data packets should be submitted to the next phase of the network protocol stack.
(2.2) NF_DROP discard the packet, no transmission.
(2.3) NF_STOLEN module takes over the datagram, tells Netfilter "forget" the datagram. The callback function will start from processing of the data packets, and Netfilter should give up the packets do any processing. However, this does not mean that the resource data packet has been released. The packet data structure and sk_buff it alone is still valid, but the callback function gets ownership of the data packets from Netfilter.
(2.4) NF_QUEUE queuing (commonly used to process the data reported to the user space for processing) the datagram
(2.5) NF_REPEAT calls the callback function again, this value should be used with caution in order to avoid an endless loop.
reference: