holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Content moved to NetfilterOverview.xml

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@885 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
mhnoyes 2003-12-17 21:57:52 +00:00
parent 3ccd51bc6f
commit 4fc1dd4c41
1 changed files with 0 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
Shorewall-docs/NetfilterOverview.html
View File

@ -1,104 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Netfilter Overview</title>
<meta name="author" content="Tom Eastep">
</head>
<body>
<p align="left"><font size="2"><big></big></font></p>
<h1 style="text-align: center;">Netfilter Overview<br>
</h1>
Netfilter consists of three <span style="font-style: italic;">tables: </span><span
style="font-weight: bold;">Filter, Nat </span>and <span
style="font-weight: bold;">Mangle</span>. Each table has a number of
build-in <span style="font-style: italic;">chains: </span><span
style="font-weight: bold;"><span style="font-weight: bold;">PREROUTING,
INPUT, FORWARD, OUTPUT </span></span>and <span
style="font-weight: bold;">POSTROUTING.<br>
<br>
</span>Rules in the various tables are used as follows:<br>
<ul>
<li><span style="font-weight: bold;">Filter: </span>Packet filtering
(rejecting, dropping or accepting packets)</li>
<li><span style="font-weight: bold;">Nat: </span>Network Address
Translation including DNAT, SNAT and Masquerading</li>
<li><span style="font-weight: bold;">Mangle:</span> General packet
header modification such as setting the TOS value or marking packets
for policy routing and traffic shaping.<br>
</li>
</ul>
The following diagram shows how packets traverse the various builtin
chains within Netfilter. Note that not all table/chain combinations are
used.<br>
<br>
<div style="text-align: center;"><img src="images/Netfilter.png"
title="" alt="(Netfilter Flow Diagram)"
style="width: 541px; height: 826px;"><br>
<br>
<div style="text-align: left;"><br>
"Local Process" means a process running on the Shorewall system itself.<br>
<br>
In the above diagram are boxes similar to this:<br>
<br>
<img src="images/Legend.png" title="" alt="(Diagram Legend)"
style="width: 145px; height: 97px;"><br>
<br>
The above box gives the name of the built-in <span
style="font-style: italic;">chain </span>(<span
style="font-weight: bold;">INPUT</span>) along with the names of the <span
style="font-style: italic;">tables </span>(<span
style="font-weight: bold;">Mangle </span>and <span
style="font-weight: bold;">Filter</span>) that the chain exists in and
in the order that the chains are traversed. The above sample indicates
that packets go first through the <span style="font-weight: bold;">INPUT</span>
chain of the <span style="font-weight: bold;">Mangle </span>table
then
through the <span style="font-weight: bold;">INPUT</span> chain of the
<span style="font-weight: bold;">Filter </span>table. When a chain is
enclosed in parentheses, Shorewall does not use the named chain (<span
style="font-weight: bold;">INPUT)</span> in that table <span
style="font-weight: bold;">(Mangle)</span>.<br>
<br>
<span style="font-weight: bold;">IMPORTANT: </span>Keep in mind that
chains in the <span style="font-weight: bold;">Nat</span> table are <span
style="text-decoration: underline;">only traversed for new connection
requests</span> (including those related to existing connections) while
the chains in the other tables are traversed on every packet.<br>
<br>
The above diagram should help you understand the output of "shorewall
status".<br>
<br>
Here are some excerpts from "shorewall status" on a server with one
interface (eth0):<br>
<br>
<pre style="margin-left: 40px;">[root@lists html]# shorewall status<br> <br>Shorewall-1.4.7 Status at lists.shorewall.net - Mon Oct 13 12:51:13 PDT 2003<br> <br>Counters reset Sat Oct 11 08:12:57 PDT 2003<br><br></pre>
The first table shown is the <span style="font-weight: bold;">Filter </span>table.<br>
<pre style="margin-left: 40px;"> <br>Chain INPUT (policy DROP 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination<br> 679K 182M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0<br> 785K 93M accounting all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID<br></pre>
The following rule indicates that all traffic destined for the firewall
that comes into the firewall on eth0 is passed to a chain called
"eth0_in". That chain will be shown further down.<br>
<pre style="margin-left: 40px;"> 785K 93M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0<br> 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'<br> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0<br> <br>Chain FORWARD (policy DROP 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination<br> 0 0 accounting all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID<br> 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0<br> 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'<br> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0<br> <br>Chain OUTPUT (policy DROP 1 packets, 60 bytes)<br> pkts bytes target prot opt in out source destination<br> 679K 182M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0<br> 922K 618M accounting all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID<br> 922K 618M fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0<br> 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'<br> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0<br></pre>
Here is the eth0_in chain:<br>
<pre style="margin-left: 40px;">Chain eth0_in (1 references)<br> pkts bytes target prot opt in out source destination<br> 785K 93M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0<br> 785K 93M net2fw all -- * * 0.0.0.0/0 0.0.0.0/0<br></pre>
The "dynamic" chain above is where dynamic blacklisting is done.<br>
<br>
Next comes the <span style="font-weight: bold;">Nat </span>table:<br>
<pre style="margin-left: 40px;">NAT Table<br> <br>Chain PREROUTING (policy ACCEPT 182K packets, 12M bytes)<br> pkts bytes target prot opt in out source destination<br>20005 1314K net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0<br> <br>Chain POSTROUTING (policy ACCEPT 678K packets, 44M bytes)<br> pkts bytes target prot opt in out source destination<br> <br>Chain OUTPUT (policy ACCEPT 678K packets, 44M bytes)<br> pkts bytes target prot opt in out source destination<br> <br>Chain net_dnat (1 references)<br> pkts bytes target prot opt in out source destination<br> 638 32968 REDIRECT tcp -- * * 0.0.0.0/0 !206.124.146.177 tcp dpt:80 redir ports 3128<br></pre>
And finally, the <span style="font-weight: bold;">Mangle </span>table:&nbsp;<br>
<pre style="margin-left: 40px;">Mangle Table<br> <br>Chain PREROUTING (policy ACCEPT 14M packets, 2403M bytes)<br> pkts bytes target prot opt in out source destination<br>1464K 275M pretos all -- * * 0.0.0.0/0 0.0.0.0/0<br> <br>Chain INPUT (policy ACCEPT 14M packets, 2403M bytes)<br> pkts bytes target prot opt in out source destination<br> <br>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination<br> <br>Chain OUTPUT (policy ACCEPT 15M packets, 7188M bytes)<br> pkts bytes target prot opt in out source destination<br>1601K 800M outtos all -- * * 0.0.0.0/0 0.0.0.0/0<br> <br>Chain POSTROUTING (policy ACCEPT 15M packets, 7188M bytes)<br> pkts bytes target prot opt in out source destination<br> <br>Chain outtos (1 references)<br> pkts bytes target prot opt in out source destination<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10<br> 315K 311M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10<br> 683 59143 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10<br> 3667 5357K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08<br> <br>Chain pretos (1 references)<br> pkts bytes target prot opt in out source destination<br> 271K 15M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10<br> 730 41538 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08<br> 2065 111K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08<br></pre>
<pre style="margin-left: 40px;"></pre>
</div>
</div>
<p align="left"><font size="2">Last updated 10/14/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>