Iptables IP Packet TCP message TCP three-time handshake four-port finite state machine State transfer

Source: Internet
Author: User

Linux Network firewall     NetFilter: is a frame of the kernel: framework     IPTABLES: Data packet filtering: Nat mangle and other rule generation tools   Network knowledge: IP packet header &NB Sp TCP headers          HDR Len   Header First ministerial   The bytes given must be multiplied by landscape 32/8 = 4 bytes   type of  service (service type)     service type  total length (total length)           Total message length     Includes the header and content (Data) section. Maximum up to 65535 bytes.   NOTE: Total message Length-The header length of the message is the data length   the TCP message or UDP message length if it is the application layer   and http  identification                 Segment identifier: An IP packet in the network,   two physical devices supported by a size byte different, the  a host sends 1500 bytes to a route, but the route supports 500 bytes , so the message will be fragmented, to B-route and support 1500 bytes, according to the segment identity, if the identity ID, is the same message.  mf:more identification   More identity segments that are more sub-  df:dont fragment   do not allow shards, and if your size is not the same as mine, I do not allow shards, So just tell blocked.  fragment offset   Offsets   such as the first Shard is 1-100 the second 101 starts  time to Live (TTL, survival time)       messages cannot be unlimited in Roaming the Internet, there must be a limit of   to indicate the lifetime of the IP packet, ranging from 0-255. When this IP packet passes through a roadThe TTL is reduced by one, and when the TTL is 0 o'clock, the packet is discarded directly. To tell the truth, to let IP packets through 255 routers, but also very difficult to  protocol number (contract code)   There may be TCP header, or UDP header, the two can only choose one, there is ICMP Internet Control Message Protocol, not four layer is not three layer, is three layer half,    IP message can identify its data in the protocol type,   the segment is this important from the transport layer and the network layer itself other data is placed in the IP packet, we can record in the IP header of this IP packet is what the data, In this field is to record each kind of data packet content! The code that is documented in this field and the associated packet protocol name are as follows:

ip  number

Package agreement name (full name)

1

icmp  (internet control message protocol)

2

igmp  (internet group management protocol)

3

ggp  (gateway-to-gateway protocol)

4 /p>

ip  (ip in ip encapsulation)

6

tcp  (transmission control protocol)

8

egp  (exteri Or gateway protocol)

udp  (user datagram p Rotocol)

  first check core to store the first check code? Source Address? Do you still want to talk? Of course is the source of the IP address, from here we also know that IP is 32 bit Oh!? Destination address? There are sources that need to have targets to transmit, and here is the destination IP. Options (other parameters)? This is an additional feature that includes security handling mechanisms, routing records, timestamp, strict and loose source routing, and so on. Padding (completion project)? Because the options content is not necessarily how big, but we know that each IP data must be a number of bits, so, if the options data is less than the bits, then the Padding active. You just have to know that the IP header contains: TTL, Protocol, source address and destination address is enough! The source of the IP header and the destination IP, and the TTL of how many routers are judged through, will know how the IP will be routed to the destination. The following subsections will describe the composition and scope of IP, as well as the mechanism (routing) of how IP packets are routed, and so on.   to host application protocols, numerous upper-level application protocols are encapsulated by TCP packets again to identify them. The actual communication is two processes in the communication, how to judge the communication between the host, by the IP can not see, to TCP to see the port number, UDP is to look at ports, so to refer to the end number, the port number indicates that the range is 0-65535. The next is the introduction of TCP messages.   General Linux host 0-1024 Port can only be used by administrators, other users do not have permissions.   On the BSD host is more than 5000 of the port as the client to link the server when.  linux everything is file, so each open port is called open a socket file.   tcp==== message      ? SOURCE Port & Destination port (source port & Destination port)? What is Port port? We know that IP packet transmission is mainly through the IP address to connect the two ends, but in the end this online channel is connected to where? That's right! It's connected to port! This goal and the source port record, can be said to be the most important parameter on the TCP packet!   ? Sequence number (envelope ordinal)     acknowledge NumBER (response sequence number)

 

TCP packet is a Transmission Control protocol, is a reliable agreement, to three times handshake, after three handshake, each message transmission needs to be confirmed, one side told the other party, both the sending party randomly sent to the receiver, each time serial number on the basis of the first plus one, and the confirmation number is the receiver in the serial number plus one after the sender.         but can not send one at a time, very slow, such as the film, a message one of the hair is very slow, so you have to send a batch, the receiving party to confirm, then how much? This occurs with the concept of sliding window, window size: Both sides are used to negotiate the size of the send, receive size. If it is too much, it will cause the message to be discarded. What if I drop it? We know that TCP is a reliable protocol, once discarded, not receiving the sending of the message, there will be no serial number of the sender, no serial number receiver will not give the sender to reply to the confirmation party, so the sender will be re-transmitted, the retransmission time is how much? There is a timer, the sender retransmission time has a standard    because the TCP packet must be brought into the IP packet, so if the TCP data is too large (greater than the extent of the IP packet tolerance), it is necessary to fragment. This Sequence number is the sequential sequence of each packet, allowing the receiving side to re-assemble the TCP data.      In order to confirm that the host side does receive the packet data sent by our client, our client certainly wants to receive the response from the host, which is the purpose of this acknowledge number. When the client side receives this confirmation code, it is able to determine that the previously delivered packet has been properly received.  headerlength   First Minister  reserved   reserved bit         Eight there are currently 6   TCP flag bits    & nbsp     URG   Emergency pointer   0 Invalid  1 effective         ACK   used to indicate whether the confirmation number is valid       & nbsp PSH push, once used for push is absolutely unable to stay in the buffer, must be sent to the kernel immediately, requires kernel-first message         RST reset    reseT link jitter when not much to explain   meaning to us little. If the RST is 1, the joint opportunity is immediately terminated without waiting for the termination confirmation. This means that this is a forced end of the online and the sending side is disconnected.         SYN   The first request for the   establishment of a sync request is sent by the          fin   The first of the Sent links  windows size   Sliding window sizes   Above serial number has been introduced  ? Checksum (Confirm check code)  urgent pointer optiondata  for TCP data   There may be application layer messages.   A real message   possible real data volume is very small,  for a data   the HTTP protocol of the application layer above, for TCP, the front is the data for encapsulation, for IP packet encapsulation, the front is the data. For Ethernet, the front is the data, frame header   How these data can be converted to a network to send data format         have the file format         have Binary format   tcp Three-time handshake    Four ports   different status   three-time handshake a host with B host    default everyone is closed state,   TCP state The first message that the  a host sends to the B host request is the active open from the closed. B host receives a first SYN request message from closed to lisetened State is passive open,           A host sends request message to Host B for the first time  syn=1 &N bsp;ack=0             B host first reply to host a message because it is the first SYN must be 1  ack plus one   SYN =1 ACK=1B host Sent to a host state from listen to SYN_RECD  a Host receives the first reply of Host B from active open state to Syn_send status  b receive a reply again becomes established        & nbsp; finite state machine: All TCP status      four disconnects   client send message contains fin disconnect flag to send shutdown request called active shut-off party, active shut-off party   send fin, active side becomes timewait1  Passive shut-off party from established   response ACK  . The passive side begins to enter closed wait for the passive shut-off party to send fin again to this between closedwait the active side is accepted to the passive side of the fin is timewait2   the reply ACK   but it cannot be closed immediately Twice times the MSL time to closed the passive shut-off party to accept the ACK becomes closed   This process state is last_ack    these states are called TCP state transitions    And the transfer mechanism of these States is called TCP's finite state machine       through we know TCP     firewall   What is firewall:                rules: matching standards         working on the edge of the host or network, the data packets in and out, in accordance with the standard in the pre-defined rules A line check that, once a defined rule is triggered, a series of components that follow the actions defined by the rule.          firewalls: Hardware         software: Rules (matching standards   approach)        &NBSP ;        Fire protection is the rule         Firewall is a framwork, framework.   can be purely hardware   can make pureThe level of software      default rules:            Full development &nbsp: Jam     Ancient arresting portraits     &NB Sp       or full shutdown: Pass   There are tokens available through      rules: Match criteria             IP:SIP  DIP            Tcp:sport dport       can also be tagged according to the flag bit tag match     &N BSP; For example first time  syn=1 ack=0 rst=0 fin=0   Second handshake  syn=1 ack=1 fin=0 rst=0   Third handshake that is established   ack=1 S Yn=0 rst=0 fin=0             udp:sport  DPORT          & nbsp  icmp:icmp_type   Using message tokens, such as  ping   Gateway unreachable   Host not in line   request Timeout   host cannot parse     & nbsp Filtering of incoming and outgoing messages according to the matching criteria is a firewall         data packet filtering        Linux kernel for network functions,   Rules can not be placed in the user space, so is in the kernel, but the user can not deal with the kernel, so someone chose such a mechanism, in the TCP/IP implementation of the location, these positions are open, open to the user space of a command, this command abbreviation of the rules will be immediately sent to the kernel tcp/ The number of locations of the IP protocol stack.        User-designed commands   A location with the kernel,   these two kernel-called working frameworks, commands called user management tools,         Set up a mechanism in the kernel,    This mechanism produces several system calls   these systems fall out of a particular application to complete the system call. Of course, not all applications can deal with the kernel. Some mechanisms can be achieved, such as mkdir can deal with the hard disk kernel    mechanism         Linux 2.0        reference OpenBSD porting             command ipfw/mechanism firewall         linux2.2            Commands ipchain/firewall                Linux 2.4 &nbsp ;           iptables/netfilter     for 2.4 NetFilter is the place where the kernel can square the rules   And iptables is the command application that can generate system calls, placing rules in the kernel  iptales is comprised of four 5-table chains   So we filter the places where messages must be placed           First IP packet through the Ethernet card, to unpack the frame, to the TCP stack processing, first to see the IP header, the source IP destination IP, is the machine sent to the machine, not the machine needs to be forwarded, such as we turn on the native forwarding function/proc/sys/net/ipv/ip _forward messages that are forwarded natively will not allow the TCP IP stack to be forwarded to the native yoghurt space to deal with the application. How many kinds of   flow are there?  3 seed Flow packet         1 from outside to local internal,          2 requests from inside the internal machine           3 from outside to forward to outside      In these three locations must go through a location      TCP/IP protocol stack has a routing table for routing decisions   as long as the access to the local network card packets, first of all Yao Lu by the decision is to enter into the internal or forward.    These locations are several hook functions  hocks:function   Hook functions Any messages passing through these positions are to be beaten by hooks and then executed once they are satisfied.   In fact, there are two locations. The hook function   is the change that is made before the routing table decision is made before the exit Nic goes out before it is sent out after the access card has been routed.    Route conversion When there is a net reply table in the internal router transformation is the message just entered the machine's flash will be changed, otherwise if not change the routing decision has been decided, do not have to wait out the time to come and change,          hock function: Hook functions             prerouting        &NB Sp   input             output            forward            postrouting    can place rules in each hook position function, rules are more like chains, so there are five rule chains              regular chain:                prerouting    &N Bsp &nbsp          INPUT                output                forward                Postrouting filter ( Filter function): Table     These three chains of this feature are equivalent to tables     So commands are called iptables            INPUT&NBS P           output            Forward nat (address conversion):    & nbsp       prerouting            OUTPUT chain can also be implemented           & nbsp postrouting  There are actually two tables  mangle (take the message apart, and then sew it up): The other headers of the main modification message such as TTL value can be performed on five chains           & nbsp prerouting            input            output    &NB Sp       forward            Postroutingrow (no changes, revert to original): The table is neither internal nor forwarded, nothing is done   can only be placed on two links              prerouting            output& nbsp;  Summary: Iptales is composed of four tables 5 chains    as on the same chain   can prevent different tables, that can, cross-use it? No, the functions of these tables are not the same, they can not be put    although can not be cross-stored, but the class may be stored separately.    what is the priority? Prerouting:1 Raw  2 mangle  3 natinput:1 mangle 2 filteroutput:1 Raw  2 mangle 3 Nat 4filterforward:1 M Angle 2 filterpostrouting:1 mangle  2 nat       like 500 rules   can we categorize the rules and use custom chains? such as Web classes and MySQL classes or SSH classes           can be customized, but must be the default chain is called after the custom send action     such as 500 too many, Extract   such as 200-400, when the front 200 processing 201, jump action, to extract, if not matched to, and then jump back, continue to go down      What needs to be streamlined?             For example, only those who have access to Web services are independent,            Use of custom chains is also a &nb to improve efficiency Sp Only those of the same kind can       so can use the custom chain, but can only be called when the function, and if there is no custom connected to the rule matching, there will be a return mechanism.           User can delete a custom space love      Default chain cannot be removed    each rule has two built-in counters         The number of messages that are matched to a record         A record is matched by the sum of the size of the packet    rules: matching criteria, handling actions      not to be continued ....                

Iptables IP Packet TCP message TCP three-time handshake four-port finite state machine State transfer

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.