mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-22 13:39:06 +01:00
Update Netfilter Overview
This commit is contained in:
Tom Eastep
parent
b38841798e
commit
62c7ad7fbb
@ -119,34 +119,38 @@
|
||||
</important>
|
||||
|
||||
<para>The above diagram should help you understand the output of
|
||||
<quote>shorewall status</quote>. You may also wish to refer to <ulink
|
||||
<quote>shorewall dump</quote>. You may also wish to refer to <ulink
|
||||
url="PacketHandling.html">this article</ulink> that describes the flow of
|
||||
packets through a Shorewall-generated firewall.</para>
|
||||
|
||||
<para>Here are some excerpts from <quote>shorewall status</quote> on a
|
||||
<para>Here are some excerpts from <quote>shorewall dump</quote> on a
|
||||
server with one interface (eth0):</para>
|
||||
|
||||
<programlisting>[root@lists html]# shorewall status
|
||||
<programlisting>[root@tipper ~]# shorewall dump
|
||||
|
||||
Shorewall-1.4.7 Status at lists.shorewall.net - Mon Oct 13 12:51:13 PDT 2003
|
||||
|
||||
Counters reset Sat Oct 11 08:12:57 PDT 2003</programlisting>
|
||||
Shorewall 4.4.2.2 Dump at tipper - Fri Oct 16 07:38:16 PDT 2009
|
||||
|
||||
Counters reset Thu Oct 8 00:38:06 PDT 2009</programlisting>
|
||||
|
||||
<para>The first table shown is the <emphasis role="bold">Filter</emphasis>
|
||||
table.</para>
|
||||
|
||||
<programlisting>Chain INPUT (policy DROP 0 packets, 0 bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
679K 182M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
|
||||
785K 93M accounting all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID</programlisting>
|
||||
6428 1417K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
|
||||
967K 629M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
|
||||
49 3896 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED</programlisting>
|
||||
|
||||
<para>The <quote>dynamic</quote> chain above is where dynamic blacklisting
|
||||
is done.</para>
|
||||
|
||||
<para>The following rule indicates that all traffic destined for the
|
||||
firewall that comes into the firewall on eth0 is passed to a chain called
|
||||
<quote>eth0_in</quote>. That chain will be shown further down.</para>
|
||||
|
||||
<programlisting> 785K 93M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
|
||||
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
|
||||
@ -155,87 +159,78 @@ Chain FORWARD (policy DROP 0 packets, 0 bytes)
|
||||
0 0 accounting all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
|
||||
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
|
||||
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
|
||||
Chain OUTPUT (policy DROP 1 packets, 60 bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
679K 182M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
|
||||
922K 618M accounting all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
|
||||
922K 618M fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
|
||||
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0</programlisting>
|
||||
895K 181M fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
|
||||
49 3896 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
|
||||
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
|
||||
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
|
||||
</programlisting>
|
||||
|
||||
<para>Here is the eth0_in chain:</para>
|
||||
|
||||
<programlisting>Chain eth0_in (1 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
785K 93M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
785K 93M net2fw all -- * * 0.0.0.0/0 0.0.0.0/0</programlisting>
|
||||
|
||||
<para>The <quote>dynamic</quote> chain above is where dynamic blacklisting
|
||||
is done.</para>
|
||||
49 3896 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
|
||||
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
|
||||
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
|
||||
</programlisting>
|
||||
|
||||
<para>Next comes the <emphasis role="bold">Nat</emphasis> table:</para>
|
||||
|
||||
<programlisting>NAT Table
|
||||
|
||||
Chain PREROUTING (policy ACCEPT 182K packets, 12M bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
20005 1314K net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0
|
||||
|
||||
Chain POSTROUTING (policy ACCEPT 678K packets, 44M bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
|
||||
Chain OUTPUT (policy ACCEPT 678K packets, 44M bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
|
||||
Chain net_dnat (1 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
638 32968 REDIRECT tcp -- * * 0.0.0.0/0 !206.124.146.177 tcp dpt:80 redir ports 3128
|
||||
</programlisting>
|
||||
|
||||
Chain PREROUTING (policy ACCEPT 5593 packets, 1181K bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
|
||||
Chain POSTROUTING (policy ACCEPT 11579 packets, 771K bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
|
||||
Chain OUTPUT (policy ACCEPT 11579 packets, 771K bytes)
|
||||
pkts bytes target prot opt in out source destination</programlisting>
|
||||
|
||||
<para>And finally, the <emphasis role="bold">Mangle</emphasis>
|
||||
table:</para>
|
||||
|
||||
<programlisting>Mangle Table
|
||||
|
||||
Chain PREROUTING (policy ACCEPT 14M packets, 2403M bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
1464K 275M pretos all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
|
||||
Chain INPUT (policy ACCEPT 14M packets, 2403M bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
|
||||
|
||||
Chain PREROUTING (policy ACCEPT 967K packets, 629M bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
967K 629M tcpre all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
|
||||
Chain INPUT (policy ACCEPT 967K packets, 629M bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
|
||||
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
|
||||
Chain OUTPUT (policy ACCEPT 15M packets, 7188M bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
1601K 800M outtos all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
|
||||
Chain POSTROUTING (policy ACCEPT 15M packets, 7188M bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
|
||||
Chain outtos (1 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10
|
||||
315K 311M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10
|
||||
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10
|
||||
683 59143 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10
|
||||
3667 5357K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08
|
||||
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08
|
||||
|
||||
Chain pretos (1 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
271K 15M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10
|
||||
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10
|
||||
730 41538 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10
|
||||
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10
|
||||
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08
|
||||
2065 111K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08</programlisting>
|
||||
pkts bytes target prot opt in out source destination
|
||||
0 0 tcfor all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
|
||||
Chain OUTPUT (policy ACCEPT 895K packets, 181M bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
895K 181M tcout all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
|
||||
Chain POSTROUTING (policy ACCEPT 895K packets, 181M bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
895K 181M tcpost all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
|
||||
Chain tcfor (1 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
|
||||
Chain tcout (1 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
|
||||
Chain tcpost (1 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
|
||||
Chain tcpre (1 references)
|
||||
pkts bytes target prot opt in out source destination</programlisting>
|
||||
</section>
|
||||
</article>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user