Shulou(Shulou.com)06/01 Report--

This article mainly introduces the example analysis of netfilter/iptables knowledge points in Linux, which is very detailed and has certain reference value. Friends who are interested must finish it!

Netfilter

Netfilter is a packet processing module in the Linux kernel, which can provide packet filtering, forwarding and address translation NAT functions. Iptables is a tool that can be used to add, modify, and delete packet processing rules in Netfilter.

Netfilter is a wall between the network card and the kernel protocol stack and is a free software firewall.

There are three main concepts in Netfilter: rules, tables, and chains, with levels increasing in turn.

A rule is a description of the processing of a particular message, including matching fields and action.

A chain is a collection of rules.

A table is a collection of rules for the same function in a chain.

Rules

Chain

The chain can be regarded as the multi-level in front of the network card and the kernel protocol stack, and the impassable type of message and the impassable barrier can be processed, that is, the matching impassable chain.

Messages sent from the network card to the kernel protocol stack: PREROUTING-> INPUT

Messages that cannot be sent to the kernel protocol stack from the Nic: PREROUTING-> FORWARD-> POSTROUTING

Message sent by kernel protocol stack to network card: OUTPUT-> POSTROUTING

Table

For ease of management, the same functional rules in the chain are organized in one table, and iptables has defined four tables for us.

Priority order of tables (from highest to lowest): raw-> mangle-> nat-> filter

Table chain relation

There can be multiple tables in a chain, but not all of them.

The processing of the data packet is based on the chain, but in the actual use, the rules are defined through the table as the operation entry.

Iptables

Iptables introduction

The packet filtering function of linux, namely linux Firewall, is composed of two components: netfilter and iptables.

The netfilter component, also known as kernel space, is part of the kernel and consists of packet filtering tables that contain the set of rules that the kernel uses to control packet filtering processing.

The iptables component is a tool, also known as user space, that makes it easy to insert, modify, and remove rules from packet filtering tables.

Iptables Foundation

We know that iptables acts according to the rules, which are actually the predefined conditions of the network administrator. The rule is generally defined as "if the packet header meets such conditions, the packet will be handled in this way." Rules are stored in the packet filtering table in kernel space, specifying the source address, destination address, transport protocol (such as TCP, UDP, ICMP), and service type (such as HTTP, FTP, and SMTP), respectively. When the packets match the rules, iptables processes the packets according to the methods defined by the rules, such as accept, reject, drop and so on. The main job of configuring a firewall is to add, modify, and delete these rules.

When the client accesses the server's web service, the client sends a message to the network card, and the tcp/ip protocol stack is part of the kernel, so the client's information is transmitted to the web service in user space through the kernel's TCP protocol. At this time, the destination of the client message is on the socket (IP:Port) that the web service listens to. When the web service needs to respond to client requests, The destination of the response message sent by the web service is the client. At this time, the IP and port monitored by the web service become the origin. As we said, netfilter is the real firewall and it is a part of the kernel. Therefore, if we want the firewall to achieve the purpose of "fire prevention", we need to set up checkpoints in the kernel. All incoming and outgoing messages have to pass through these checkpoints. Those who meet the release conditions can be released, while those who meet the blocking conditions need to be blocked. As a result, there are input and output levels, which are not called "levels" in iptables, but "chains".

The above is all the contents of the article "sample Analysis of netfilter/iptables knowledge points in Linux". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.