mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-26 17:43:15 +01:00
Documentation Updates
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1918 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
1142b86134
commit
6b86727898
@ -15,12 +15,12 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-07-11</pubdate>
|
<pubdate>2005-01-23</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2003</year>
|
<year>2003</year>
|
||||||
|
|
||||||
<year>2004</year>
|
<year>2005</year>
|
||||||
|
|
||||||
<holder>Thomas M. Eastep</holder>
|
<holder>Thomas M. Eastep</holder>
|
||||||
</copyright>
|
</copyright>
|
||||||
@ -31,18 +31,21 @@
|
|||||||
1.2 or any later version published by the Free Software Foundation; with
|
1.2 or any later version published by the Free Software Foundation; with
|
||||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
Texts. A copy of the license is included in the section entitled
|
Texts. A copy of the license is included in the section entitled
|
||||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||||
|
License</ulink></quote>.</para>
|
||||||
</legalnotice>
|
</legalnotice>
|
||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Netfilter Overview</title>
|
<title>Netfilter Overview</title>
|
||||||
|
|
||||||
<para>Netfilter consists of three tables: <emphasis role="bold">Filter</emphasis>,
|
<para>Netfilter consists of three tables: <emphasis
|
||||||
<emphasis role="bold">Nat</emphasis> and <emphasis role="bold">Mangle</emphasis>.
|
role="bold">Filter</emphasis>, <emphasis role="bold">Nat</emphasis> and
|
||||||
Each table has a number of build-in chains: <emphasis role="bold">PREROUTING</emphasis>,
|
<emphasis role="bold">Mangle</emphasis>. Each table has a number of
|
||||||
<emphasis role="bold">INPUT</emphasis>, <emphasis role="bold">FORWARD</emphasis>,
|
build-in chains: <emphasis role="bold">PREROUTING</emphasis>, <emphasis
|
||||||
<emphasis role="bold">OUTPUT</emphasis> and <emphasis role="bold">POSTROUTING</emphasis>.</para>
|
role="bold">INPUT</emphasis>, <emphasis role="bold">FORWARD</emphasis>,
|
||||||
|
<emphasis role="bold">OUTPUT</emphasis> and <emphasis
|
||||||
|
role="bold">POSTROUTING</emphasis>.</para>
|
||||||
|
|
||||||
<para>Rules in the various tables are used as follows:</para>
|
<para>Rules in the various tables are used as follows:</para>
|
||||||
|
|
||||||
@ -51,7 +54,8 @@
|
|||||||
<term>Filter</term>
|
<term>Filter</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Packet filtering (rejecting, dropping or accepting packets)</para>
|
<para>Packet filtering (rejecting, dropping or accepting
|
||||||
|
packets)</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -69,7 +73,8 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>General packet header modification such as setting the TOS
|
<para>General packet header modification such as setting the TOS
|
||||||
value or marking packets for policy routing and traffic shaping.</para>
|
value or marking packets for policy routing and traffic
|
||||||
|
shaping.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
@ -78,34 +83,39 @@
|
|||||||
chains within Netfilter. Note that not all table/chain combinations are
|
chains within Netfilter. Note that not all table/chain combinations are
|
||||||
used.</para>
|
used.</para>
|
||||||
|
|
||||||
<graphic fileref="images/Netfilter.png" />
|
<graphic align="center" fileref="images/Netfilter.png" />
|
||||||
|
|
||||||
<para><quote>Local Process</quote> means a process running on the
|
<para><quote>Local Process</quote> means a process running on the
|
||||||
Shorewall system itself.</para>
|
Shorewall system itself.</para>
|
||||||
|
|
||||||
<para>A more elaborate version of this flow is available <ulink
|
<para>A more elaborate version of this flow is available <ulink
|
||||||
url="http://shorewall.net/pub/shorewall/misc/netfilterflow.pdf">here</ulink>.</para>
|
url="http://shorewall.net/pub/shorewall/misc/netfilterflow.pdf">here</ulink>
|
||||||
|
and <ulink url="http://www.docum.org/docum.org/kptd/">this one</ulink>
|
||||||
|
contrasts the Netfilter flow with that of ipchains.</para>
|
||||||
|
|
||||||
<para>In the above diagram are boxes similar to this:</para>
|
<para>In the above diagram are boxes similar to this:</para>
|
||||||
|
|
||||||
<graphic fileref="images/Legend.png" />
|
<graphic fileref="images/Legend.png" />
|
||||||
|
|
||||||
<para>The above box gives the name of the built-in chain (<emphasis
|
<para>The above box gives the name of the built-in chain (<emphasis
|
||||||
role="bold">INPUT</emphasis>) along with the names of the tables (<emphasis
|
role="bold">INPUT</emphasis>) along with the names of the tables
|
||||||
role="bold">Mangle</emphasis> and <emphasis role="bold">Filter</emphasis>)
|
(<emphasis role="bold">Mangle</emphasis> and <emphasis
|
||||||
that the chain exists in and in the order that the chains are traversed.
|
role="bold">Filter</emphasis>) that the chain exists in and in the order
|
||||||
The above sample indicates that packets go first through the <emphasis
|
that the chains are traversed. The above sample indicates that packets go
|
||||||
role="bold">INPUT</emphasis> chain of the <emphasis role="bold">Mangle</emphasis>
|
first through the <emphasis role="bold">INPUT</emphasis> chain of the
|
||||||
table then through the <emphasis role="bold">INPUT</emphasis> chain of the
|
<emphasis role="bold">Mangle</emphasis> table then through the <emphasis
|
||||||
<emphasis role="bold">Filter</emphasis> table. When a chain is enclosed in
|
role="bold">INPUT</emphasis> chain of the <emphasis
|
||||||
parentheses, Shorewall does not use the named chain (<emphasis role="bold">INPUT</emphasis>)
|
role="bold">Filter</emphasis> table. When a chain is enclosed in
|
||||||
in that table (<emphasis role="bold">Mangle</emphasis>).</para>
|
parentheses, Shorewall does not use the named chain (<emphasis
|
||||||
|
role="bold">INPUT</emphasis>) in that table (<emphasis
|
||||||
|
role="bold">Mangle</emphasis>).</para>
|
||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>Keep in mind that chains in the <emphasis role="bold">Nat</emphasis>
|
<para>Keep in mind that chains in the <emphasis
|
||||||
table are <emphasis role="bold">only traversed for new connection
|
role="bold">Nat</emphasis> table are <emphasis role="bold">only
|
||||||
requests</emphasis> (including those related to existing connections)
|
traversed for new connection requests</emphasis> (including those
|
||||||
while the chains in the other tables are traversed on every packet.</para>
|
related to existing connections) while the chains in the other tables
|
||||||
|
are traversed on every packet.</para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para>The above diagram should help you understand the output of
|
<para>The above diagram should help you understand the output of
|
||||||
@ -137,7 +147,7 @@ Counters reset Sat Oct 11 08:12:57 PDT 2003</programlisting>
|
|||||||
|
|
||||||
<programlisting> 785K 93M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
|
<programlisting> 785K 93M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
|
||||||
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
|
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||||
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
|
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
|
||||||
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
|
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||||
|
|
||||||
Chain FORWARD (policy DROP 0 packets, 0 bytes)
|
Chain FORWARD (policy DROP 0 packets, 0 bytes)
|
||||||
@ -146,7 +156,7 @@ Chain FORWARD (policy DROP 0 packets, 0 bytes)
|
|||||||
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
|
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
|
||||||
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
|
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
|
||||||
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
|
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||||
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
|
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
|
||||||
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
|
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||||
|
|
||||||
Chain OUTPUT (policy DROP 1 packets, 60 bytes)
|
Chain OUTPUT (policy DROP 1 packets, 60 bytes)
|
||||||
@ -156,7 +166,7 @@ Chain OUTPUT (policy DROP 1 packets, 60 bytes)
|
|||||||
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
|
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
|
||||||
922K 618M fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
|
922K 618M fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
|
||||||
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
|
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||||
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
|
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
|
||||||
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0</programlisting>
|
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0</programlisting>
|
||||||
|
|
||||||
<para>Here is the eth0_in chain:</para>
|
<para>Here is the eth0_in chain:</para>
|
||||||
@ -188,7 +198,8 @@ Chain net_dnat (1 references)
|
|||||||
638 32968 REDIRECT tcp -- * * 0.0.0.0/0 !206.124.146.177 tcp dpt:80 redir ports 3128
|
638 32968 REDIRECT tcp -- * * 0.0.0.0/0 !206.124.146.177 tcp dpt:80 redir ports 3128
|
||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para>And finally, the <emphasis role="bold">Mangle</emphasis> table:</para>
|
<para>And finally, the <emphasis role="bold">Mangle</emphasis>
|
||||||
|
table:</para>
|
||||||
|
|
||||||
<programlisting>Mangle Table
|
<programlisting>Mangle Table
|
||||||
|
|
||||||
|
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2005-01-01</pubdate>
|
<pubdate>2005-01-14</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2004</year>
|
<year>2004</year>
|
||||||
@ -430,6 +430,43 @@ ifconfig most 192.168.1.31 netmask 255.255.255.0 up
|
|||||||
/etc/rc.d/rc.bridge </programlisting>
|
/etc/rc.d/rc.bridge </programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
|
<para>Joshua Schmidlkofer writes:</para>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>Bridge Setup for Gentoo
|
||||||
|
|
||||||
|
#install bridge-utils
|
||||||
|
emerge bridge-utils
|
||||||
|
|
||||||
|
## create a link for net.br0
|
||||||
|
cd /etc/init.d
|
||||||
|
ln -s net.eth0 net.br0
|
||||||
|
|
||||||
|
# Remove net.eth*, add net.br0 and bridge.
|
||||||
|
rc-update del net.eth0
|
||||||
|
rc-update del net.eth1
|
||||||
|
rc-update add net,br0 default
|
||||||
|
rc-update add bridge boot
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
/etc/conf.d/bridge:
|
||||||
|
|
||||||
|
#bridge contains the name of each bridge you want created.
|
||||||
|
bridge="br0"
|
||||||
|
|
||||||
|
# bridge_<bridge>_devices contains the devices to use at bridge startup.
|
||||||
|
bridge_br0_devices="eth0 eth1"
|
||||||
|
|
||||||
|
/etc/conf.d/net
|
||||||
|
|
||||||
|
iface_br0="10.0.0.1 broadcast 10.0.0.255 netmask 255.255.255.0"
|
||||||
|
#for dhcp:
|
||||||
|
#iface_br0="dhcp"
|
||||||
|
#comment this out if you use dhcp.
|
||||||
|
gateway="eth0/10.0.0.1" </programlisting>
|
||||||
|
</blockquote>
|
||||||
|
|
||||||
<para>Users who successfully configure bridges on other distributions,
|
<para>Users who successfully configure bridges on other distributions,
|
||||||
with static or dynamic IP addresses, are encouraged to send <ulink
|
with static or dynamic IP addresses, are encouraged to send <ulink
|
||||||
url="mailto:webmaster@shorewall.net">me</ulink> their configuration so I
|
url="mailto:webmaster@shorewall.net">me</ulink> their configuration so I
|
||||||
|
Loading…
Reference in New Issue
Block a user