From e061e936de93bd083d3f9fcdd3ce9891aadd19d2 Mon Sep 17 00:00:00 2001 From: mhnoyes Date: Wed, 17 Dec 2003 21:58:17 +0000 Subject: [PATCH] minor edit git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@886 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs/NetfilterOverview.xml | 50 ++++++++++++++++------------ 1 file changed, 28 insertions(+), 22 deletions(-) diff --git a/Shorewall-docs/NetfilterOverview.xml b/Shorewall-docs/NetfilterOverview.xml index 2e2f70afb..0f2637c54 100644 --- a/Shorewall-docs/NetfilterOverview.xml +++ b/Shorewall-docs/NetfilterOverview.xml @@ -34,32 +34,34 @@
Netfilter Overview - Netfilter consists of three tables: Filter, Nat and Mangle. Each - table has a number of build-in chains: PREROUTING, INPUT, FORWARD, OUTPUT - and POSTROUTING. + Netfilter consists of three tables: Filter, + Nat and Mangle. + Each table has a number of build-in chains: PREROUTING, + INPUT, FORWARD, + OUTPUT and POSTROUTING. Rules in the various tables are used as follows: - * Filter: + Filter - # Packet filtering (rejecting, dropping or accepting packets) + Packet filtering (rejecting, dropping or accepting packets) - # Nat: + Nat - # Network Address Translation including DNAT, SNAT and + Network Address Translation including DNAT, SNAT and Masquerading - # Mangle: + Mangle General packet header modification such as setting the TOS @@ -81,19 +83,22 @@ - The above box gives the name of the built-in chain (INPUT) along - with the names of the tables (Mangle and Filter) that the chain exists in - and in the order that the chains are traversed. The above sample indicates - that packets go first through the INPUT chain of the Mangle table then - through the INPUT chain of the Filter table. When a chain is enclosed in - parentheses, Shorewall does not use the named chain (INPUT) in that table - (Mangle). + The above box gives the name of the built-in chain (INPUT) along with the names of the tables (Mangle and Filter) + that the chain exists in and in the order that the chains are traversed. + The above sample indicates that packets go first through the INPUT chain of the Mangle + table then through the INPUT chain of the + Filter table. When a chain is enclosed in + parentheses, Shorewall does not use the named chain (INPUT) + in that table (Mangle). - Keep in mind that chains in the Nat table are only traversed for - new connection requests (including those related to existing - connections) while the chains in the other tables are traversed on every - packet. + Keep in mind that chains in the Nat + table are only traversed for new connection + requests (including those related to existing connections) + while the chains in the other tables are traversed on every packet. The above diagram should help you understand the output of @@ -108,7 +113,8 @@ Shorewall-1.4.7 Status at lists.shorewall.net - Mon Oct 13 12:51:13 PDT 2003 Counters reset Sat Oct 11 08:12:57 PDT 2003 - The first table shown is the Filter table. + The first table shown is the Filter + table. Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination @@ -154,7 +160,7 @@ Chain OUTPUT (policy DROP 1 packets, 60 bytes) The "dynamic" chain above is where dynamic blacklisting is done. - Next comes the Nat table: + Next comes the Nat table: NAT Table @@ -173,7 +179,7 @@ Chain net_dnat (1 references) 638 32968 REDIRECT tcp -- * * 0.0.0.0/0 !206.124.146.177 tcp dpt:80 redir ports 3128 - And finally, the Mangle table: + And finally, the Mangle table: Mangle Table