Linux Network firewall NetFilter: is a frame of the kernel: framework IPTABLES: Data packet filtering: Nat mangle and other rule generation tools Network knowledge: IP packet header &NB Sp TCP headers    HDR Len Header First ministerial The bytes given must be multiplied by landscape 32/8 = 4 bytes type of service (service type) service type total length (total length) Total message length Includes the header and content (Data) section. Maximum up to 65535 bytes. NOTE: Total message Length-The header length of the message is the data length the TCP message or UDP message length if it is the application layer and http identification Segment identifier: An IP packet in the network, two physical devices supported by a size byte different, the a host sends 1500 bytes to a route, but the route supports 500 bytes , so the message will be fragmented, to B-route and support 1500 bytes, according to the segment identity, if the identity ID, is the same message. mf:more identification More identity segments that are more sub- df:dont fragment do not allow shards, and if your size is not the same as mine, I do not allow shards, So just tell blocked. fragment offset Offsets such as the first Shard is 1-100 the second 101 starts time to Live (TTL, survival time) messages cannot be unlimited in Roaming the Internet, there must be a limit of to indicate the lifetime of the IP packet, ranging from 0-255. When this IP packet passes through a roadThe TTL is reduced by one, and when the TTL is 0 o'clock, the packet is discarded directly. To tell the truth, to let IP packets through 255 routers, but also very difficult to protocol number (contract code) There may be TCP header, or UDP header, the two can only choose one, there is ICMP Internet Control Message Protocol, not four layer is not three layer, is three layer half,  IP message can identify its data in the protocol type, the segment is this important from the transport layer and the network layer itself other data is placed in the IP packet, we can record in the IP header of this IP packet is what the data, In this field is to record each kind of data packet content! The code that is documented in this field and the associated packet protocol name are as follows:
ip number |
Package agreement name (full name) |
1 |
icmp (internet control message protocol) |
2 |
igmp (internet group management protocol) |
3 |
ggp (gateway-to-gateway protocol) |
4 /p> |
ip (ip in ip encapsulation) |
6 |
tcp (transmission control protocol) |
8 |
egp (exteri Or gateway protocol) |
|
udp (user datagram p Rotocol) |
first check core to store the first check code? Source Address? Do you still want to talk? Of course is the source of the IP address, from here we also know that IP is 32 bit Oh!? Destination address? There are sources that need to have targets to transmit, and here is the destination IP. Options (other parameters)? This is an additional feature that includes security handling mechanisms, routing records, timestamp, strict and loose source routing, and so on. Padding (completion project)? Because the options content is not necessarily how big, but we know that each IP data must be a number of bits, so, if the options data is less than the bits, then the Padding active. You just have to know that the IP header contains: TTL, Protocol, source address and destination address is enough! The source of the IP header and the destination IP, and the TTL of how many routers are judged through, will know how the IP will be routed to the destination. The following subsections will describe the composition and scope of IP, as well as the mechanism (routing) of how IP packets are routed, and so on. to host application protocols, numerous upper-level application protocols are encapsulated by TCP packets again to identify them. The actual communication is two processes in the communication, how to judge the communication between the host, by the IP can not see, to TCP to see the port number, UDP is to look at ports, so to refer to the end number, the port number indicates that the range is 0-65535. The next is the introduction of TCP messages. General Linux host 0-1024 Port can only be used by administrators, other users do not have permissions. On the BSD host is more than 5000 of the port as the client to link the server when. linux everything is file, so each open port is called open a socket file. tcp==== message ? SOURCE Port & Destination port (source port & Destination port)? What is Port port? We know that IP packet transmission is mainly through the IP address to connect the two ends, but in the end this online channel is connected to where? That's right! It's connected to port! This goal and the source port record, can be said to be the most important parameter on the TCP packet! ? Sequence number (envelope ordinal) acknowledge NumBER (response sequence number)
TCP packet is a Transmission Control protocol, is a reliable agreement, to three times handshake, after three handshake, each message transmission needs to be confirmed, one side told the other party, both the sending party randomly sent to the receiver, each time serial number on the basis of the first plus one, and the confirmation number is the receiver in the serial number plus one after the sender. but can not send one at a time, very slow, such as the film, a message one of the hair is very slow, so you have to send a batch, the receiving party to confirm, then how much? This occurs with the concept of sliding window, window size: Both sides are used to negotiate the size of the send, receive size. If it is too much, it will cause the message to be discarded. What if I drop it? We know that TCP is a reliable protocol, once discarded, not receiving the sending of the message, there will be no serial number of the sender, no serial number receiver will not give the sender to reply to the confirmation party, so the sender will be re-transmitted, the retransmission time is how much? There is a timer, the sender retransmission time has a standard because the TCP packet must be brought into the IP packet, so if the TCP data is too large (greater than the extent of the IP packet tolerance), it is necessary to fragment. This Sequence number is the sequential sequence of each packet, allowing the receiving side to re-assemble the TCP data. In order to confirm that the host side does receive the packet data sent by our client, our client certainly wants to receive the response from the host, which is the purpose of this acknowledge number. When the client side receives this confirmation code, it is able to determine that the previously delivered packet has been properly received. headerlength First Minister reserved reserved bit Eight there are currently 6 TCP flag bits & nbsp URG Emergency pointer 0 Invalid 1 effective ACK used to indicate whether the confirmation number is valid & nbsp PSH push, once used for push is absolutely unable to stay in the buffer, must be sent to the kernel immediately, requires kernel-first message RST reset reseT link jitter when not much to explain meaning to us little. If the RST is 1, the joint opportunity is immediately terminated without waiting for the termination confirmation. This means that this is a forced end of the online and the sending side is disconnected. SYN The first request for the establishment of a sync request is sent by the fin The first of the Sent links windows size Sliding window sizes Above serial number has been introduced ? Checksum (Confirm check code) urgent pointer optiondata for TCP data There may be application layer messages. A real message possible real data volume is very small, for a data the HTTP protocol of the application layer above, for TCP, the front is the data for encapsulation, for IP packet encapsulation, the front is the data. For Ethernet, the front is the data, frame header How these data can be converted to a network to send data format have the file format have Binary format tcp Three-time handshake Four ports different status three-time handshake a host with B host default everyone is closed state, TCP state The first message that the a host sends to the B host request is the active open from the closed. B host receives a first SYN request message from closed to lisetened State is passive open,  A host sends request message to Host B for the first time syn=1 &N bsp;ack=0 B host first reply to host a message because it is the first SYN must be 1 ack plus one SYN =1 ACK=1B host Sent to a host state from listen to SYN_RECD a Host receives the first reply of Host B from active open state to Syn_send status b receive a reply again becomes established & nbsp; finite state machine: All TCP status four disconnects client send message contains fin disconnect flag to send shutdown request called active shut-off party, active shut-off party send fin, active side becomes timewait1 Passive shut-off party from established response ACK . The passive side begins to enter closed wait for the passive shut-off party to send fin again to this between closedwait the active side is accepted to the passive side of the fin is timewait2 the reply ACK but it cannot be closed immediately Twice times the MSL time to closed the passive shut-off party to accept the ACK becomes closed This process state is last_ack these states are called TCP state transitions And the transfer mechanism of these States is called TCP's finite state machine through we know TCP firewall What is firewall: rules: matching standards working on the edge of the host or network, the data packets in and out, in accordance with the standard in the pre-defined rules A line check that, once a defined rule is triggered, a series of components that follow the actions defined by the rule. firewalls: Hardware software: Rules (matching standards approach)  &NBSP ; Fire protection is the rule Firewall is a framwork, framework. can be purely hardware can make pureThe level of software default rules: Full development  : Jam Ancient arresting portraits &NB Sp or full shutdown: Pass There are tokens available through rules: Match criteria IP:SIP DIP Tcp:sport dport can also be tagged according to the flag bit tag match &N BSP; For example first time syn=1 ack=0 rst=0 fin=0 Second handshake syn=1 ack=1 fin=0 rst=0 Third handshake that is established ack=1 S Yn=0 rst=0 fin=0 udp:sport DPORT & nbsp icmp:icmp_type Using message tokens, such as ping Gateway unreachable Host not in line request Timeout host cannot parse & nbsp Filtering of incoming and outgoing messages according to the matching criteria is a firewall data packet filtering Linux kernel for network functions, Rules can not be placed in the user space, so is in the kernel, but the user can not deal with the kernel, so someone chose such a mechanism, in the TCP/IP implementation of the location, these positions are open, open to the user space of a command, this command abbreviation of the rules will be immediately sent to the kernel tcp/ The number of locations of the IP protocol stack. User-designed commands A location with the kernel, these two kernel-called working frameworks, commands called user management tools, Set up a mechanism in the kernel, This mechanism produces several system calls these systems fall out of a particular application to complete the system call. Of course, not all applications can deal with the kernel. Some mechanisms can be achieved, such as mkdir can deal with the hard disk kernel mechanism Linux 2.0 reference OpenBSD porting command ipfw/mechanism firewall linux2.2 Commands ipchain/firewall Linux 2.4   ; iptables/netfilter for 2.4 NetFilter is the place where the kernel can square the rules And iptables is the command application that can generate system calls, placing rules in the kernel iptales is comprised of four 5-table chains So we filter the places where messages must be placed First IP packet through the Ethernet card, to unpack the frame, to the TCP stack processing, first to see the IP header, the source IP destination IP, is the machine sent to the machine, not the machine needs to be forwarded, such as we turn on the native forwarding function/proc/sys/net/ipv/ip _forward messages that are forwarded natively will not allow the TCP IP stack to be forwarded to the native yoghurt space to deal with the application. How many kinds of flow are there? 3 seed Flow packet   1 from outside to local internal, 2 requests from inside the internal machine 3 from outside to forward to outside In these three locations must go through a location TCP/IP protocol stack has a routing table for routing decisions as long as the access to the local network card packets, first of all Yao Lu by the decision is to enter into the internal or forward. These locations are several hook functions hocks:function Hook functions Any messages passing through these positions are to be beaten by hooks and then executed once they are satisfied. In fact, there are two locations. The hook function is the change that is made before the routing table decision is made before the exit Nic goes out before it is sent out after the access card has been routed. Route conversion When there is a net reply table in the internal router transformation is the message just entered the machine's flash will be changed, otherwise if not change the routing decision has been decided, do not have to wait out the time to come and change, hock function: Hook functions prerouting &NB Sp input output forward postrouting can place rules in each hook position function, rules are more like chains, so there are five rule chains regular chain: prerouting &N Bsp   INPUT output forward Postrouting filter ( Filter function): Table These three chains of this feature are equivalent to tables So commands are called iptables INPUT&NBS P output Forward nat (address conversion): & nbsp prerouting OUTPUT chain can also be implemented & nbsp postrouting There are actually two tables mangle (take the message apart, and then sew it up): The other headers of the main modification message such as TTL value can be performed on five chains & nbsp prerouting input output &NB Sp forward Postroutingrow (no changes, revert to original): The table is neither internal nor forwarded, nothing is done can only be placed on two links prerouting output& nbsp; Summary: Iptales is composed of four tables 5 chains as on the same chain can prevent different tables, that can, cross-use it? No, the functions of these tables are not the same, they can not be put although can not be cross-stored, but the class may be stored separately. what is the priority? Prerouting:1 Raw 2 mangle 3 natinput:1 mangle 2 filteroutput:1 Raw 2 mangle 3 Nat 4filterforward:1 M Angle 2 filterpostrouting:1 mangle 2 nat like 500 rules can we categorize the rules and use custom chains? such as Web classes and MySQL classes or SSH classes can be customized, but must be the default chain is called after the custom send action such as 500 too many, Extract such as 200-400, when the front 200 processing 201, jump action, to extract, if not matched to, and then jump back, continue to go down What needs to be streamlined? For example, only those who have access to Web services are independent, Use of custom chains is also a &nb to improve efficiency Sp Only those of the same kind can so can use the custom chain, but can only be called when the function, and if there is no custom connected to the rule matching, there will be a return mechanism. User can delete a custom space love Default chain cannot be removed each rule has two built-in counters The number of messages that are matched to a record A record is matched by the sum of the size of the packet rules: matching criteria, handling actions not to be continued ....
Iptables IP Packet TCP message TCP three-time handshake four-port finite state machine State transfer