Network Traffic Control (firewall) in Android-Iptables
Iptables Introduction
Iptables is an IP information packet filtering system integrated with the latest Linux kernel 2.6.x. If the Linux system is connected to the Internet or LAN, server, or a proxy server connected to the LAN and Internet, the system facilitates better control of IP packet filtering and firewall configuration on the Linux system.
Iptables is a powerful tool used to add, edit, and remove rules, rules of the firewall. These rules are stored in a dedicated information packet filtering table, which is integrated into the Linux kernel. In the information packet filtering table, rules are grouped in a chain. I will discuss in detail these rules and how to create them and group them in the chain.
Although the netfilter/iptables IP information packet filtering system is called a single entity, it actually consists of two components: netfilter and iptables.
The netfilter component, also known as the kernel space (kernelspace), is a part of the kernel and consists of information packet filtering tables that contain the rule set used by the kernel to control information packet filtering. The iptables component is a tool, also known as userspace, which makes it easy to insert, modify, and remove rules from the information package filter table. Unless you are using Red Hat Linux 7.1 or later, you need to download the tool from netfilter.org and install and use it.
By using user space, you can build custom rules that are stored in the information packet filtering table of the kernel space. These rules have goals that tell the kernel what to do with information packages from certain sources, to certain destinations, or with certain protocol types. If an information package matches the rule, use the target ACCEPT to allow the information package to pass through. You can also use the target DROP or REJECT to block and kill information packets. There are many other targets for other operations that can be performed on the information package.
Based on the type of information package processed by the rule, you can group the rule in the chain. Rules for processing the inbound information package are added to the INPUT chain. Rules for processing outbound information packets are added to the OUTPUT chain. Rules for processing information packets being forwarded are added to the FORWARD chain. These three links are the default main chains built in the basic information package filtering table. In addition, there are many other available chain types (such as PREROUTING and POSTROUTING) and user-defined chains. Each chain can have a policy that defines the "Default target", that is, the default operation to be executed. This operation is executed when the information package does not match any rule in the chain.
After creating rules and placing the chain in a proper position, you can start to perform real information packet filtering. At this time, the kernel space takes over the work from the user space. When the information package arrives at the firewall, the kernel first checks the header information of the information package, especially the destination of the information package. We call this process a route.
If the information package comes from outside and goes to the system, and the firewall is enabled, the kernel will pass it to the INPUT chain of the kernel space information package filtering table. If the information package is from another source inside the system or connected to the Intranet, and the information package is to be sent to another external system, the information package is transmitted to the OUTPUT chain. Similarly, information packages originating from external systems and sent to external systems are transmitted to the FORWARD chain.
Next, compare the header information of the information package with each rule passed to the chain to see if it exactly matches a rule. If the information package matches a rule, the kernel executes the operation specified by the rule's target on the information package. However, if the information package does not match this rule, it will be compared with the next rule in the chain. Finally, if the information package does not match any rule in the chain, the kernel will refer to the chain policy to determine how to process the information package. The ideal policy should tell the kernel to DROP the information package. The information package filtering process is illustrated in graphs.
Solutions for firewall software design using Iptables
