forked from extern/shorewall_code
Content moved to NetfilterOverview.xml
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@885 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
3ccd51bc6f
commit
4fc1dd4c41
@ -1,104 +0,0 @@
|
|||||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
||||||
<html>
|
|
||||||
<head>
|
|
||||||
<meta http-equiv="Content-Language" content="en-us">
|
|
||||||
<meta http-equiv="Content-Type"
|
|
||||||
content="text/html; charset=windows-1252">
|
|
||||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
|
||||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
|
||||||
<title>Netfilter Overview</title>
|
|
||||||
<meta name="author" content="Tom Eastep">
|
|
||||||
</head>
|
|
||||||
<body>
|
|
||||||
<p align="left"><font size="2"><big></big></font></p>
|
|
||||||
<h1 style="text-align: center;">Netfilter Overview<br>
|
|
||||||
</h1>
|
|
||||||
Netfilter consists of three <span style="font-style: italic;">tables: </span><span
|
|
||||||
style="font-weight: bold;">Filter, Nat </span>and <span
|
|
||||||
style="font-weight: bold;">Mangle</span>. Each table has a number of
|
|
||||||
build-in <span style="font-style: italic;">chains: </span><span
|
|
||||||
style="font-weight: bold;"><span style="font-weight: bold;">PREROUTING,
|
|
||||||
INPUT, FORWARD, OUTPUT </span></span>and <span
|
|
||||||
style="font-weight: bold;">POSTROUTING.<br>
|
|
||||||
<br>
|
|
||||||
</span>Rules in the various tables are used as follows:<br>
|
|
||||||
<ul>
|
|
||||||
<li><span style="font-weight: bold;">Filter: </span>Packet filtering
|
|
||||||
(rejecting, dropping or accepting packets)</li>
|
|
||||||
<li><span style="font-weight: bold;">Nat: </span>Network Address
|
|
||||||
Translation including DNAT, SNAT and Masquerading</li>
|
|
||||||
<li><span style="font-weight: bold;">Mangle:</span> General packet
|
|
||||||
header modification such as setting the TOS value or marking packets
|
|
||||||
for policy routing and traffic shaping.<br>
|
|
||||||
</li>
|
|
||||||
</ul>
|
|
||||||
The following diagram shows how packets traverse the various builtin
|
|
||||||
chains within Netfilter. Note that not all table/chain combinations are
|
|
||||||
used.<br>
|
|
||||||
<br>
|
|
||||||
<div style="text-align: center;"><img src="images/Netfilter.png"
|
|
||||||
title="" alt="(Netfilter Flow Diagram)"
|
|
||||||
style="width: 541px; height: 826px;"><br>
|
|
||||||
<br>
|
|
||||||
<div style="text-align: left;"><br>
|
|
||||||
"Local Process" means a process running on the Shorewall system itself.<br>
|
|
||||||
<br>
|
|
||||||
In the above diagram are boxes similar to this:<br>
|
|
||||||
<br>
|
|
||||||
<img src="images/Legend.png" title="" alt="(Diagram Legend)"
|
|
||||||
style="width: 145px; height: 97px;"><br>
|
|
||||||
<br>
|
|
||||||
The above box gives the name of the built-in <span
|
|
||||||
style="font-style: italic;">chain </span>(<span
|
|
||||||
style="font-weight: bold;">INPUT</span>) along with the names of the <span
|
|
||||||
style="font-style: italic;">tables </span>(<span
|
|
||||||
style="font-weight: bold;">Mangle </span>and <span
|
|
||||||
style="font-weight: bold;">Filter</span>) that the chain exists in and
|
|
||||||
in the order that the chains are traversed. The above sample indicates
|
|
||||||
that packets go first through the <span style="font-weight: bold;">INPUT</span>
|
|
||||||
chain of the <span style="font-weight: bold;">Mangle </span>table
|
|
||||||
then
|
|
||||||
through the <span style="font-weight: bold;">INPUT</span> chain of the
|
|
||||||
<span style="font-weight: bold;">Filter </span>table. When a chain is
|
|
||||||
enclosed in parentheses, Shorewall does not use the named chain (<span
|
|
||||||
style="font-weight: bold;">INPUT)</span> in that table <span
|
|
||||||
style="font-weight: bold;">(Mangle)</span>.<br>
|
|
||||||
<br>
|
|
||||||
<span style="font-weight: bold;">IMPORTANT: </span>Keep in mind that
|
|
||||||
chains in the <span style="font-weight: bold;">Nat</span> table are <span
|
|
||||||
style="text-decoration: underline;">only traversed for new connection
|
|
||||||
requests</span> (including those related to existing connections) while
|
|
||||||
the chains in the other tables are traversed on every packet.<br>
|
|
||||||
<br>
|
|
||||||
The above diagram should help you understand the output of "shorewall
|
|
||||||
status".<br>
|
|
||||||
<br>
|
|
||||||
Here are some excerpts from "shorewall status" on a server with one
|
|
||||||
interface (eth0):<br>
|
|
||||||
<br>
|
|
||||||
<pre style="margin-left: 40px;">[root@lists html]# shorewall status<br> <br>Shorewall-1.4.7 Status at lists.shorewall.net - Mon Oct 13 12:51:13 PDT 2003<br> <br>Counters reset Sat Oct 11 08:12:57 PDT 2003<br><br></pre>
|
|
||||||
The first table shown is the <span style="font-weight: bold;">Filter </span>table.<br>
|
|
||||||
<pre style="margin-left: 40px;"> <br>Chain INPUT (policy DROP 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination<br> 679K 182M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0<br> 785K 93M accounting all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID<br></pre>
|
|
||||||
The following rule indicates that all traffic destined for the firewall
|
|
||||||
that comes into the firewall on eth0 is passed to a chain called
|
|
||||||
"eth0_in". That chain will be shown further down.<br>
|
|
||||||
<pre style="margin-left: 40px;"> 785K 93M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0<br> 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'<br> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0<br> <br>Chain FORWARD (policy DROP 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination<br> 0 0 accounting all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID<br> 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0<br> 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'<br> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0<br> <br>Chain OUTPUT (policy DROP 1 packets, 60 bytes)<br> pkts bytes target prot opt in out source destination<br> 679K 182M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0<br> 922K 618M accounting all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID<br> 922K 618M fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0<br> 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'<br> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0<br></pre>
|
|
||||||
Here is the eth0_in chain:<br>
|
|
||||||
<pre style="margin-left: 40px;">Chain eth0_in (1 references)<br> pkts bytes target prot opt in out source destination<br> 785K 93M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0<br> 785K 93M net2fw all -- * * 0.0.0.0/0 0.0.0.0/0<br></pre>
|
|
||||||
The "dynamic" chain above is where dynamic blacklisting is done.<br>
|
|
||||||
<br>
|
|
||||||
Next comes the <span style="font-weight: bold;">Nat </span>table:<br>
|
|
||||||
<pre style="margin-left: 40px;">NAT Table<br> <br>Chain PREROUTING (policy ACCEPT 182K packets, 12M bytes)<br> pkts bytes target prot opt in out source destination<br>20005 1314K net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0<br> <br>Chain POSTROUTING (policy ACCEPT 678K packets, 44M bytes)<br> pkts bytes target prot opt in out source destination<br> <br>Chain OUTPUT (policy ACCEPT 678K packets, 44M bytes)<br> pkts bytes target prot opt in out source destination<br> <br>Chain net_dnat (1 references)<br> pkts bytes target prot opt in out source destination<br> 638 32968 REDIRECT tcp -- * * 0.0.0.0/0 !206.124.146.177 tcp dpt:80 redir ports 3128<br></pre>
|
|
||||||
And finally, the <span style="font-weight: bold;">Mangle </span>table: <br>
|
|
||||||
<pre style="margin-left: 40px;">Mangle Table<br> <br>Chain PREROUTING (policy ACCEPT 14M packets, 2403M bytes)<br> pkts bytes target prot opt in out source destination<br>1464K 275M pretos all -- * * 0.0.0.0/0 0.0.0.0/0<br> <br>Chain INPUT (policy ACCEPT 14M packets, 2403M bytes)<br> pkts bytes target prot opt in out source destination<br> <br>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination<br> <br>Chain OUTPUT (policy ACCEPT 15M packets, 7188M bytes)<br> pkts bytes target prot opt in out source destination<br>1601K 800M outtos all -- * * 0.0.0.0/0 0.0.0.0/0<br> <br>Chain POSTROUTING (policy ACCEPT 15M packets, 7188M bytes)<br> pkts bytes target prot opt in out source destination<br> <br>Chain outtos (1 references)<br> pkts bytes target prot opt in out source destination<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10<br> 315K 311M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10<br> 683 59143 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10<br> 3667 5357K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08<br> <br>Chain pretos (1 references)<br> pkts bytes target prot opt in out source destination<br> 271K 15M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10<br> 730 41538 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08<br> 2065 111K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08<br></pre>
|
|
||||||
<pre style="margin-left: 40px;"></pre>
|
|
||||||
</div>
|
|
||||||
</div>
|
|
||||||
<p align="left"><font size="2">Last updated 10/14/2003 - <a
|
|
||||||
href="support.htm">Tom Eastep</a></font></p>
|
|
||||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
|
||||||
© <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
|
|
||||||
<br>
|
|
||||||
<br>
|
|
||||||
</body>
|
|
||||||
</html>
|
|
Loading…
Reference in New Issue
Block a user