Shulou(Shulou.com)06/01 Report--

This article is to share with you about the use of Linux Firewall IPtables. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Target (target)

We already know that the target is the actions specified by the rules, and those packets that match the rules perform these operations. In addition to allowing user-defined goals, there are many target options available. Goals used to establish high-level rules, such as LOG, REDIRECT, MARK, MIRROR, and MASQUERADE.

State mechanism

State mechanism is a special part of iptables, but it should not be called state mechanism, because it is only a connection tracking mechanism. However, many people agree with the name state mechanism. Link tracking allows netfilter to know a specific connection  T recitation  carbuncle  slang Bulbul craftsmanship spectrum " ferocious stab  frequency sword  rhyme" stab  appendix healthy"  appendix award to make sure that the  Bulbul reveals that  steps on the  leech  City and the tomb of Xiamen . BR >

In iptables, packets are related to the four different states of the connection being tracked. They are NEW, ESTABLISHED, RELATED and INVALID. Using the-- state matching operation, we can easily control who or what can initiate a new session.

All connection tracking done in the kernel by a specific framework of netfilter is called conntrack (that is, the acronym of connection tracking). Conntrack can be installed as a module or as part of the kernel. In most cases, we need more detailed connection tracking. Therefore, there are many parts in conntrack that deal with TCP, UDP, or ICMP protocols. These modules extract detailed and unique information from packets, so they can keep track of each data stream. This information also tells the current state of the conntrack stream. For example, UDP streams are generally uniquely determined by their destination address, source address, destination port, and source port.

In the previous kernel, we could turn the reorganization function on or off. However, since iptables and netfilter, especially connection tracking, were introduced into the kernel, this option has been disabled. Because there is no package reorganization, connection tracking will not work properly. The reorganization is now integrated into conntrack and starts automatically when conntrack starts. Do not turn off the reorganization function unless you want to turn off connection tracking.

Except for locally generated packets handled by the OUTPUT chain, all connection tracking is processed in the PREROUTING chain, which means that iptables recalculates all states in the PREROUTING chain. If we send an initialization packet for a stream, the state will be set to NEW in the OUTPUT chain, and when we receive the response packet, the status will be set to ESTABLISHED in the PREROUTING chain. If the first package is not locally generated, it is set to the NEW state in the PREROUTING chain. To sum up, all state changes and calculations are done in the PREROUTING chain and OUTPUT chain in the nat table.

As mentioned earlier, the state of the package varies depending on the protocols contained in IP, but outside the kernel, that is, in user space, there are only four states: NEW, ESTABLISHED, RELATED, and INVALID. They are mainly used with state matching.

NEW

NEW explained that this was the first package we saw. It means that this is the first package of some connection seen by the conntrack module, and it is about to be matched. For example, if we see a SYN package, which is the first package we pay attention to, we need to match it. The first package may not be a SYN package, but it will still be considered a NEW state.

ESTABLISHED

ESTABLISHED has noticed the transfer of data in both directions and will continue to match the connected packets. Connections in the ESTABLISHED state are very easy to understand. As long as you send and receive a reply, the connection is ESTABLISHED. To change a connection from NEW to ESTABLISHED, you only need to receive a reply packet, whether the packet is sent to the firewall or forwarded by the firewall. Packets such as ICMP errors and redirects are also considered ESTABLISHED, as long as they are responses to the messages we send.

RELATED

RELATED is a troublesome state. When a connection is related to a connection that is already in the ESTABLISHED state, it is considered RELATED. In other words, for a connection to be RELATED, you must first have a connection to ESTABLISHED. This ESTABLISHED connection produces a connection other than the main connection, and the new connection is RELATED's, provided, of course, that the conntrack module understands RELATED. Ftp is a good example. FTP-data connections have RELATED with FTP-control.

INVALID

INVALID indicates that the packet cannot be identified as belonging to which connection or without any state. There are several reasons for this, such as a memory overflow and an ICMP error message that you don't know which connection you belong to. Generally speaking, we DROP anything in this state.

These states can be used together to match packets. This can make our firewall very strong and effective. In the past, we used to open all ports above 1024 to release reply data. Now, with the state mechanism, this is no longer necessary. Because we can only open those ports that have reply data, and everything else can be closed. It's much safer this way.

Thank you for reading! This is the end of this article on "what is the use of Linux firewall IPtables?". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it out for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.