iptables Introduction
Iptables is an IP packet filtering system integrated with the latest 2.6.x Linux kernel. If a Linux system is connected to the Internet or a LAN, a server, or a proxy server connected to the LAN and the Internet, the system facilitates better control over IP packet filtering and firewall configuration on Linux systems.
iptables Working principleThe NETFILTER/IPTABLESIP packet filtering system is a powerful tool for adding, editing, and removing rules that are followed and composed by firewalls when making packet filtering decisions. These rules are stored in a dedicated packet filtering table, and these tables are integrated into the Linux kernel. In the Packet filter table, the rules are grouped in our so-called chain (chain). I'll discuss these rules in more detail and how to set them up and group them in the chain.
Although the Netfilter/iptables IP packet filtering system is called a single entity, it actually consists of two components NetFilter and iptables.
The NetFilter component, also known as kernel Space (kernelspace), is part of the kernel and consists of packet filtering tables that contain the set of rules that the kernel uses to control packet filtering processing. The Iptables component is a tool, also known as user space (userspace), that makes it easy to insert, modify, and remove rules from packet filtering tables. Unless you are using Red Hat Linux 7.1 or later, you will need to download the tool from netfilter.org and install it.
By using user space, you can build your own custom rules that are stored in the Packet filter table in the kernel space. These rules have targets that tell the kernel what to do with packets from certain sources, to certain destinations, or to certain protocol types. If a packet matches the rule, use the target ACCEPT to allow the packet to pass. You can also use target DROP or REJECT to block and kill packets. There are many other goals for other operations that can be performed on the packet.
Rules can be grouped in chains, depending on the type of packet that the rule handles. Rules that process inbound packets are added to the INPUT chain. Rules for processing outbound packets are added to the OUTPUT chain. The rules for processing packets being forwarded are added to the FORWARD chain. These three chains are the default main chains built into the basic packet filter table. In addition, there are many other types of chains available (such as prerouting and postrouting), as well as providing user-defined chains. Each chain can have a policy that defines the "default target", which is the default action to be performed, which is performed when the packet does not match any rule in the chain.
Once you have established the rules and placed the chain in place, you can begin to do a real packet filtering effort. The kernel space then takes over from the user space to work. When the packet arrives at the firewall, the kernel first checks the packet's header information, especially the destination of the message packet. We refer to this process as routing.
If the packet originates from the outside and goes to the system, and the firewall is open, the kernel passes it to the INPUT chain of the kernel Space packet filter table. If the packet originates from a different source on the internal network that is connected to the system or from the system, and the packet travels to another external system, the packet is passed to the OUTPUT chain. Similarly, packets originating from an external system and going to an external system are passed to the FORWARD chain.
Next, compare the header information of the packet with each rule in the chain to which it was passed, to see if it exactly matches a rule. If the packet matches a rule, the kernel executes the action specified by the rule's target on the packet. However, if the packet does not match this rule, it will be compared to the next rule in the chain. Finally, if the packet does not match any of the rules in the chain, the kernel will refer to the policy of the chain to decide how to handle the packet. The ideal strategy should tell the kernel to DROP the packet. This packet filtering process is illustrated graphically.
a solution for firewall software design using iptablesSince Iptables already has a perfect firewall rule, we just need to design a iptables-based Android foreground, and by running a script, call Iptables to set up the firewall rules.related Sample code:
http://code.google.com/p/droidwall/
Internet traffic Control (firewall)--iptables in Android
