Linux-based packet filtering firewalls (1)

The 1th chapter, router-based packet filtering firewall

General concepts of 1.1 packet filtering firewalls

1.1.1 What is a packet filter firewall

A packet filtering firewall is a software that looks at the header of the packet that flows through it, thus determining the fate of the entire package. It may decide to discard (drop) the packet, may accept (ACCEPT) the package (let the packet pass), or it may perform other more complex actions.

Under Linux, packet filtering is built into the core (as a core module, or built directly), while there are some tricks that can be used on top of the packet, but the most common is to look at the header to determine the fate of the package.

The working level of 1.1.2 packet filtering firewall

Packet filtering is a type of firewall built into the Linux kernel routing function, and its firewall works at the network layer.

The working principle of 1.1.3 Packet filter firewall

(1) Use of filters. Packet filtering is used between the internal host and the external host, and the filtering system is a router or a host. The filtering system determines whether or not the packet is passed according to the filtering rules. Routers used to filter packets are called filter routers.

Packet filtering is accomplished by checking the IP header and TCP headers or UDP headers of the packet, and the main information is:

* IP Source Address

* IP Destination Address

* Protocol (TCP packets, UDP packets, and ICMP packets)

* Source port for TCP or UDP packets

* Destination port for TCP or UDP packets

* ICMP message type

* The ACK bit in the TCP header

* The port to which the packet arrives

* Data packets out of the port

In TCP/IP, there are some standard service port numbers, for example, HTTP has a port number of 80. Specific services can be blocked by masking specific ports. Packet filtering systems can block connections between an internal host and an external host or another network, for example, to block a host or network that is considered to be hostile or untrusted and to be connected to an internal network.

(2) The realization of the filter. Packet filtering is typically implemented using a filter router that is different from a normal router.

A normal router checks only the destination address of the packet and selects an optimal path to reach the destination address. It deals with data packets based on the destination address, and there are two possibilities: if the router can find a path to reach the destination address, send it out; If the router does not know how to send the packet, notify the sender of the packet "data packet unreachable."

The filter router will examine the packet more carefully, and decide whether to send the packet, in addition to determining whether there is a path to the destination address. "Should or not" is determined by the router's filtering policy and enforced.

The main filtering strategies for routers are:

* Reject all connections from a host or a network segment.

* Allow all connections from a host or segment of a network.

* Deny connections from a host or a specified port on a network segment.