extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-22 13:39:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update Netfilter Overview

Browse Source
This commit is contained in:
Tom Eastep 2009-10-16 10:29:36 -07:00
parent b38841798e
commit 62c7ad7fbb
1 changed files with 67 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
docs/NetfilterOverview.xml
View File

@ -119,34 +119,38 @@
</important>
<para>The above diagram should help you understand the output of
<quote>shorewall status</quote>. You may also wish to refer to <ulink
<quote>shorewall dump</quote>. You may also wish to refer to <ulink
url="PacketHandling.html">this article</ulink> that describes the flow of
packets through a Shorewall-generated firewall.</para>
<para>Here are some excerpts from <quote>shorewall status</quote> on a
<para>Here are some excerpts from <quote>shorewall dump</quote> on a
server with one interface (eth0):</para>
<programlisting>[root@lists html]# shorewall status
<programlisting>[root@tipper ~]# shorewall dump
Shorewall-1.4.7 Status at lists.shorewall.net - Mon Oct 13 12:51:13 PDT 2003
Shorewall 4.4.2.2 Dump at tipper - Fri Oct 16 07:38:16 PDT 2009
Counters reset Sat Oct 11 08:12:57 PDT 2003</programlisting>
Counters reset Thu Oct 8 00:38:06 PDT 2009</programlisting>
<para>The first table shown is the <emphasis role="bold">Filter</emphasis>
table.</para>
<programlisting>Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
679K 182M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
785K 93M accounting all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID</programlisting>
6428 1417K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
967K 629M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
49 3896 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED</programlisting>
<para>The <quote>dynamic</quote> chain above is where dynamic blacklisting
is done.</para>
<para>The following rule indicates that all traffic destined for the
firewall that comes into the firewall on eth0 is passed to a chain called
<quote>eth0_in</quote>. That chain will be shown further down.</para>
<programlisting> 785K 93M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
@ -155,87 +159,78 @@ Chain FORWARD (policy DROP 0 packets, 0 bytes)
0 0 accounting all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
679K 182M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
922K 618M accounting all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
922K 618M fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
895K 181M fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
49 3896 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0</programlisting>
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
</programlisting>
<para>Here is the eth0_in chain:</para>
<programlisting>Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
785K 93M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
785K 93M net2fw all -- * * 0.0.0.0/0 0.0.0.0/0</programlisting>
<para>The <quote>dynamic</quote> chain above is where dynamic blacklisting
is done.</para>
49 3896 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
</programlisting>
<para>Next comes the <emphasis role="bold">Nat</emphasis> table:</para>
<programlisting>NAT Table
Chain PREROUTING (policy ACCEPT 182K packets, 12M bytes)
pkts bytes target prot opt in out source destination
20005 1314K net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 678K packets, 44M bytes)
Chain PREROUTING (policy ACCEPT 5593 packets, 1181K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 678K packets, 44M bytes)
Chain POSTROUTING (policy ACCEPT 11579 packets, 771K bytes)
pkts bytes target prot opt in out source destination
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
638 32968 REDIRECT tcp -- * * 0.0.0.0/0 !206.124.146.177 tcp dpt:80 redir ports 3128
</programlisting>
Chain OUTPUT (policy ACCEPT 11579 packets, 771K bytes)
pkts bytes target prot opt in out source destination</programlisting>
<para>And finally, the <emphasis role="bold">Mangle</emphasis>
table:</para>
<programlisting>Mangle Table
Chain PREROUTING (policy ACCEPT 14M packets, 2403M bytes)
Chain PREROUTING (policy ACCEPT 967K packets, 629M bytes)
pkts bytes target prot opt in out source destination
1464K 275M pretos all -- * * 0.0.0.0/0 0.0.0.0/0
967K 629M tcpre all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 14M packets, 2403M bytes)
Chain INPUT (policy ACCEPT 967K packets, 629M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 tcfor all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 15M packets, 7188M bytes)
Chain OUTPUT (policy ACCEPT 895K packets, 181M bytes)
pkts bytes target prot opt in out source destination
1601K 800M outtos all -- * * 0.0.0.0/0 0.0.0.0/0
895K 181M tcout all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 15M packets, 7188M bytes)
Chain POSTROUTING (policy ACCEPT 895K packets, 181M bytes)
pkts bytes target prot opt in out source destination
895K 181M tcpost all -- * * 0.0.0.0/0 0.0.0.0/0
Chain tcfor (1 references)
pkts bytes target prot opt in out source destination
Chain outtos (1 references)
Chain tcout (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10
315K 311M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10
683 59143 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10
3667 5357K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
Chain tcpost (1 references)
pkts bytes target prot opt in out source destination
271K 15M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10
730 41538 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08
2065 111K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08</programlisting>
Chain tcpre (1 references)
pkts bytes target prot opt in out source destination</programlisting>
</section>
</article>