Shulou(Shulou.com)06/01 Report--

In order to better understand the firewall of RouterOS, I specially give you some scientific knowledge. The firewall of ROS actually operates iptables, which is also four tables and five chains. This article teaches you to quickly understand the firewall of ROS, and then you will understand the principle of iptables.

The four tables and five chains are roughly as follows.

1. Four tables:

Raw table-turns off the connection tracking mechanism. Used on the prerouting,output chain.

Mangle table-disassemble the message, analyze the message, modify the message. Used on prerouting,input,forward,output,postrouting links.

Nat table-Network address translation, used on prerouting,output,postrouting links.

Filter table-responsible for filtering function, used on input,forward,output links.

Priority of each table:

Raw- > Mangle- > Nat- > Filter

two。 Five chains

A. inputWhile-incoming packets apply the policies in this rule chain

(packets that have passed the first route selection)

B.output

-- outgoing packets apply the policies in this rule chain

(packets that have passed the second route selection)

C.forward

-- apply the policies in this rule chain when forwarding packets

(packets that have passed the first route selection)

D.prerouting

-apply the rules in this chain before routing incoming packets (this chain will handle all packets that have not been routed yet)

E.postrouting

-- apply the rules in this chain after routing outgoing packets (all packets that have gone through all routing choices are handled by this chain first)

First look at the picture of the five chains:

Some people may ask, why judge the route twice?

In fact, routing is to determine where the data comes from and where it goes, and whether the router should do the work or not. It can be understood as follows:

a. The destination IP is a router, but the data that does not need to be processed by the kernel, such as the intranet to the intranet, is sent out in a straight line after a judgment.

b. The destination IP is a router, and the data that needs to be processed by the kernel, such as the private network to the public network and the public network to the private network, have to be processed around the corner. Because it involves the processing of modifying IP data.

Therefore, the first time is to determine whether the router should handle it, and the second time is to decide which interface (gateway) to send data to after modifying the IP data. Take your time to understand, don't worry.

Then there is the chain and table diagram used in ROS, which tells you where the chain can be processed.

It still looks annoying, so how to choose the appropriate chain processing rules?

The five chains can be understood so quickly:

A.Murt-processes packets coming into the router. (destination IP on the router)

B.outputWhile-processes packets that leave the router.

C. broadcast-neither the source IP nor the destination IP of the packet is on the router.

D. packets coming out of the router interface from the outside.

E.postrouting house-the packet that the router sends out of the interface.

It's easy to understand this way.

The above is a general process of RouterOS's firewall.

3. How are the rules handled?

Any data that passes through the router will be chained, and we will configure the rules in the appropriate place and match them, and then we can process them accordingly.

So how to choose the appropriate link for configuration, and what are the configured processing actions? In the next section, we'll start with how each table in ROS Firewall sets the rules.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.