Linux firewall --- netfilter
netfilter hook in five sub-functions and message flow
Netfilter selected five locations in the kernel put five hook (Hook) function (
the INPUT,
the OUTPUT,
the FORWARD,
PREROUTING,
POSTROUTING),
and five hook function open to users the user can filter the information table (table) composed by a command tools (iptables) writing to the rules comprising the rule set (the rules) control the IP packet processing rules are grouped on the chain (chain) on
三种报文流向
流入本机:PREROUTING --> INPUT-->用户空间进程
流出本机:用户空间进程 -->OUTPUT--> POSTROUTING
转发:PREROUTING --> FORWARD --> POSTROUTINGFive tables table: filter, nat, mangle, raw, security
filter表:过滤规则表,根据预定义的规则过滤符合条件的数据包
nat表:network address translation 地址转换规则表
mangle:修改数据标记位规则表
raw:关闭启用的连接跟踪机制,加快封包穿越防火墙速度
security:用于强制访问控制(MAC)网络规则,由Linux安全模块(如SELinux)实现Packet filtering matching process
Transmission of data packets in the kernel
When a packet enters the network adapter, the data packet first enters the PREROUTING chain, if the core is determined according to the packet's destination IP routing needs to go out
if the data packet is to enter the machine, the packet is moved downward along FIG reach INPUT chain. After the packet arrives at the INPUT chain, any process that will receive it. Program running on the machine can send data packets, these packets through the OUTPUT chain, and then to output POSTROUTING chain
if the packet is to be forwarded, and the kernel allows forwarding packets will move to the right, through the FORWARD chain, and reach POSTROUTING chain output