关于 study of network security, the firewall (Firewall) is being always stressed the key, it is the basic function is to filter and be able to resist the 某个 local network or the network part and Internet data transfer between the (data packets). Is in fact a section of the packet data, which also includes used to send them to their destination by the required information.
You can think of a packet of data packets: data packets in packet data itself, while the envelopes are all used to send this information to the right machines and the correct procedures to the letter the rise, it also also contains a information regarding the return address. Work in their specific filtering process, the firewall will take over before internal access from the network access the Internet and internal network from the Internet routing settings.
Our impression is that the previous firewall designed to filter some illegal packets, or why the one of a type known as packet filtering firewall with it? Development to the present, its function is increasing, not only to filter data packets, network address translation can be made for agents, etc.. Linux kernel 2.4 firewall implementation NetFilter is like this.
Let's look at the location of the firewall, my understanding is that either it is installed in a machine Zuo personal firewall, or installed in a machine of a local area network gateway for the function of the latter kind of situation is shown below :
Pair diagram summarizes the NetFilter installed in the gateway of the frame structure, can be seen from the figure a packet may go through the path, which use [] extended up the East, known as the check point, when data packets arrive at the point, we should stop and some checks. Here the name of the checkpoint is used in the name of the iptables, specific to the NetFilter may come with the so-called hook (Hook) function of.
NetFilter sum up, it has the following three basic functions:
1, data filtering (filter table)
2, network address translation (nat table)
3, data packet processing (mangle table)
According to these three functions, the above five check points were classified by function. Since each function corresponds to a table in NetFilter in, and each check point there are a number of matching rules, these rules form a chain, so there is the following statement: "NetFilter is the container table, the table is a chain container, chain the rule of the container "
A chain (chain) is in fact a number of rules (rules) in a checklist (checklist). Each chain can have one or more rules, each defined by a rule like this, "If the header line with these conditions, so processing the packet." When a packet arrives on a chain, the system will start from the first rule checks to see if it meets the conditions defined by the rules: if the system will be defined in accordance with rule approach to the packet; if not satisfied continued to check the next rule. Finally, if the packet does not meet any of the chain rule, the system will be pre-defined according to the chain's strategy (policy) to handle the packet.
And a iptables command which basically consists of the following five parts: want to work in what form, which hopes to use the table chain, carried out the operation (insert, add, delete, modify), the objectives of the specific rules match the packet movements and conditions .
Basic syntax: iptables-t table-Operation chain-j target match (es) (the system default table for the "filter")
Basic operations are as follows:
-A tail to add a rule in the chain
-I insert the rule
-D delete rule
-R substitution rule
-L lists the rules
Basic objective action, which applies to all links:
ACCEPT the packet received
Discard the packet DROP
QUEUE queue the packet to user space
RETURN to return to the previous call Chain
foobar user-defined chain
Basic matching condition, which applies to all links:
-P specify the protocol (tcp / icmp / udp /...)
-S source address (ip address / masklen)
-D destination address (ip address / masklen)
-I packet input interface
-O packet output interface
Extended matching conditions:
TCP ----- matching source port, destination port, and tcp any combination of tag, tcp options.
UPD ----- match the source port and destination port
Match ICMP Type ICMP ----
MAC ----- receive data matching mac address
MARK ---- match nfmark
OWNE ---- (only applies to locally generated packets) to match the user ID, group ID, process ID and Session ID
LIMIT --- packets matching a specific period of time constraints. This expansion matches the data flow for the restriction is very useful dos attack.
STATE --- match the particular state of packets (connection tracking subsystem determined by the state), possible states include:
INVALID (not match any connection)
ESTABLISHED (belonging to a link has been established packets)
NEW (the connection data packet)
RELATED (and an already established connection with certain related data packets, such as an ICMP error message or ftp data connection)
TOS - match the IP header TOS field value.