mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-28 08:29:28 +01:00
DocBook XML conversion
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@884 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
fcf8c9c370
commit
3ccd51bc6f
215
Shorewall-docs/NetfilterOverview.xml
Normal file
215
Shorewall-docs/NetfilterOverview.xml
Normal file
@ -0,0 +1,215 @@
|
|||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||||
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||||
|
<article id="NetfilterOverview">
|
||||||
|
<articleinfo>
|
||||||
|
<title>Netfilter Overview</title>
|
||||||
|
|
||||||
|
<authorgroup>
|
||||||
|
<author>
|
||||||
|
<firstname>Tom</firstname>
|
||||||
|
|
||||||
|
<surname>Eastep</surname>
|
||||||
|
</author>
|
||||||
|
</authorgroup>
|
||||||
|
|
||||||
|
<pubdate>2003-10-14</pubdate>
|
||||||
|
|
||||||
|
<copyright>
|
||||||
|
<year>2003</year>
|
||||||
|
|
||||||
|
<holder>Thomas M. Eastep</holder>
|
||||||
|
</copyright>
|
||||||
|
|
||||||
|
<legalnotice>
|
||||||
|
<para>Permission is granted to copy, distribute and/or modify this
|
||||||
|
document under the terms of the GNU Free Documentation License, Version
|
||||||
|
1.2 or any later version published by the Free Software Foundation; with
|
||||||
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
|
Texts. A copy of the license is included in the section entitled "<ulink
|
||||||
|
url="GnuCopyright.htm">GNU Free Documentation License</ulink>".</para>
|
||||||
|
</legalnotice>
|
||||||
|
</articleinfo>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Netfilter Overview</title>
|
||||||
|
|
||||||
|
<para>Netfilter consists of three tables: Filter, Nat and Mangle. Each
|
||||||
|
table has a number of build-in chains: PREROUTING, INPUT, FORWARD, OUTPUT
|
||||||
|
and POSTROUTING.</para>
|
||||||
|
|
||||||
|
<para>Rules in the various tables are used as follows:</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term>* Filter:</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para># Packet filtering (rejecting, dropping or accepting packets)</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term># Nat:</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para># Network Address Translation including DNAT, SNAT and
|
||||||
|
Masquerading</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term># Mangle:</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>General packet header modification such as setting the TOS
|
||||||
|
value or marking packets for policy routing and traffic shaping.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
|
<para>The following diagram shows how packets traverse the various builtin
|
||||||
|
chains within Netfilter. Note that not all table/chain combinations are
|
||||||
|
used.</para>
|
||||||
|
|
||||||
|
<graphic fileref="images/Netfilter.png" />
|
||||||
|
|
||||||
|
<para>"Local Process" means a process running on the Shorewall
|
||||||
|
system itself.</para>
|
||||||
|
|
||||||
|
<para>In the above diagram are boxes similar to this:</para>
|
||||||
|
|
||||||
|
<graphic fileref="images/Legend.png" />
|
||||||
|
|
||||||
|
<para>The above box gives the name of the built-in chain (INPUT) along
|
||||||
|
with the names of the tables (Mangle and Filter) that the chain exists in
|
||||||
|
and in the order that the chains are traversed. The above sample indicates
|
||||||
|
that packets go first through the INPUT chain of the Mangle table then
|
||||||
|
through the INPUT chain of the Filter table. When a chain is enclosed in
|
||||||
|
parentheses, Shorewall does not use the named chain (INPUT) in that table
|
||||||
|
(Mangle).</para>
|
||||||
|
|
||||||
|
<important>
|
||||||
|
<para>Keep in mind that chains in the Nat table are only traversed for
|
||||||
|
new connection requests (including those related to existing
|
||||||
|
connections) while the chains in the other tables are traversed on every
|
||||||
|
packet.</para>
|
||||||
|
</important>
|
||||||
|
|
||||||
|
<para>The above diagram should help you understand the output of
|
||||||
|
"shorewall status".</para>
|
||||||
|
|
||||||
|
<para>Here are some excerpts from "shorewall status" on a server
|
||||||
|
with one interface (eth0):</para>
|
||||||
|
|
||||||
|
<programlisting>[root@lists html]# shorewall status
|
||||||
|
|
||||||
|
Shorewall-1.4.7 Status at lists.shorewall.net - Mon Oct 13 12:51:13 PDT 2003
|
||||||
|
|
||||||
|
Counters reset Sat Oct 11 08:12:57 PDT 2003</programlisting>
|
||||||
|
|
||||||
|
<para>The first table shown is the Filter table.</para>
|
||||||
|
|
||||||
|
<programlisting>Chain INPUT (policy DROP 0 packets, 0 bytes)
|
||||||
|
pkts bytes target prot opt in out source destination
|
||||||
|
679K 182M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
|
||||||
|
785K 93M accounting all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||||
|
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID</programlisting>
|
||||||
|
|
||||||
|
<para>The following rule indicates that all traffic destined for the
|
||||||
|
firewall that comes into the firewall on eth0 is passed to a chain called
|
||||||
|
"eth0_in". That chain will be shown further down.</para>
|
||||||
|
|
||||||
|
<programlisting> 785K 93M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
|
||||||
|
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||||
|
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
|
||||||
|
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||||
|
|
||||||
|
Chain FORWARD (policy DROP 0 packets, 0 bytes)
|
||||||
|
pkts bytes target prot opt in out source destination
|
||||||
|
0 0 accounting all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||||
|
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
|
||||||
|
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
|
||||||
|
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||||
|
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
|
||||||
|
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||||
|
|
||||||
|
Chain OUTPUT (policy DROP 1 packets, 60 bytes)
|
||||||
|
pkts bytes target prot opt in out source destination
|
||||||
|
679K 182M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
|
||||||
|
922K 618M accounting all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||||
|
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
|
||||||
|
922K 618M fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
|
||||||
|
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||||
|
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
|
||||||
|
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0</programlisting>
|
||||||
|
|
||||||
|
<para>Here is the eth0_in chain:</para>
|
||||||
|
|
||||||
|
<programlisting>Chain eth0_in (1 references)
|
||||||
|
pkts bytes target prot opt in out source destination
|
||||||
|
785K 93M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||||
|
785K 93M net2fw all -- * * 0.0.0.0/0 0.0.0.0/0</programlisting>
|
||||||
|
|
||||||
|
<para>The "dynamic" chain above is where dynamic blacklisting is
|
||||||
|
done.</para>
|
||||||
|
|
||||||
|
<para>Next comes the Nat table:</para>
|
||||||
|
|
||||||
|
<programlisting>NAT Table
|
||||||
|
|
||||||
|
Chain PREROUTING (policy ACCEPT 182K packets, 12M bytes)
|
||||||
|
pkts bytes target prot opt in out source destination
|
||||||
|
20005 1314K net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0
|
||||||
|
|
||||||
|
Chain POSTROUTING (policy ACCEPT 678K packets, 44M bytes)
|
||||||
|
pkts bytes target prot opt in out source destination
|
||||||
|
|
||||||
|
Chain OUTPUT (policy ACCEPT 678K packets, 44M bytes)
|
||||||
|
pkts bytes target prot opt in out source destination
|
||||||
|
|
||||||
|
Chain net_dnat (1 references)
|
||||||
|
pkts bytes target prot opt in out source destination
|
||||||
|
638 32968 REDIRECT tcp -- * * 0.0.0.0/0 !206.124.146.177 tcp dpt:80 redir ports 3128
|
||||||
|
</programlisting>
|
||||||
|
|
||||||
|
<para>And finally, the Mangle table:</para>
|
||||||
|
|
||||||
|
<programlisting>Mangle Table
|
||||||
|
|
||||||
|
Chain PREROUTING (policy ACCEPT 14M packets, 2403M bytes)
|
||||||
|
pkts bytes target prot opt in out source destination
|
||||||
|
1464K 275M pretos all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||||
|
|
||||||
|
Chain INPUT (policy ACCEPT 14M packets, 2403M bytes)
|
||||||
|
pkts bytes target prot opt in out source destination
|
||||||
|
|
||||||
|
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
|
||||||
|
pkts bytes target prot opt in out source destination
|
||||||
|
|
||||||
|
Chain OUTPUT (policy ACCEPT 15M packets, 7188M bytes)
|
||||||
|
pkts bytes target prot opt in out source destination
|
||||||
|
1601K 800M outtos all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||||
|
|
||||||
|
Chain POSTROUTING (policy ACCEPT 15M packets, 7188M bytes)
|
||||||
|
pkts bytes target prot opt in out source destination
|
||||||
|
|
||||||
|
Chain outtos (1 references)
|
||||||
|
pkts bytes target prot opt in out source destination
|
||||||
|
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10
|
||||||
|
315K 311M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10
|
||||||
|
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10
|
||||||
|
683 59143 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10
|
||||||
|
3667 5357K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08
|
||||||
|
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08
|
||||||
|
|
||||||
|
Chain pretos (1 references)
|
||||||
|
pkts bytes target prot opt in out source destination
|
||||||
|
271K 15M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10
|
||||||
|
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10
|
||||||
|
730 41538 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10
|
||||||
|
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10
|
||||||
|
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08
|
||||||
|
2065 111K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08</programlisting>
|
||||||
|
</section>
|
||||||
|
</article>
|
Loading…
Reference in New Issue
Block a user