| ip number |
Package agreement name (full name) |
| 1 |
icmp (internet control message protocol) |
| 2 |
igmp (internet group management protocol) |
| 3 |
ggp (gateway-to-gateway protocol) |
| 4 /p> |
ip (ip in ip encapsulation) |
| 6 |
tcp (transmission control protocol) |
| 8 |
egp (exteri Or gateway protocol) |
|
|
udp (user datagram p Rotocol) |
TCP packet is a Transmission Control protocol, is a reliable agreement, to three times handshake, after three handshake, each message transmission needs to be confirmed, one side told the other party, both the sending party randomly sent to the receiver, each time serial number on the basis of the first plus one, and the confirmation number is the receiver in the serial number plus one after the sender. but can not send one at a time, very slow, such as the film, a message one of the hair is very slow, so you have to send a batch, the receiving party to confirm, then how much? This occurs with the concept of sliding window, window size: Both sides are used to negotiate the size of the send, receive size. If it is too much, it will cause the message to be discarded. What if I drop it? We know that TCP is a reliable protocol, once discarded, not receiving the sending of the message, there will be no serial number of the sender, no serial number receiver will not give the sender to reply to the confirmation party, so the sender will be re-transmitted, the retransmission time is how much? There is a timer, the sender retransmission time has a standard because the TCP packet must be brought into the IP packet, so if the TCP data is too large (greater than the extent of the IP packet tolerance), it is necessary to fragment. This Sequence number is the sequential sequence of each packet, allowing the receiving side to re-assemble the TCP data. In order to confirm that the host side does receive the packet data sent by our client, our client certainly wants to receive the response from the host, which is the purpose of this acknowledge number. When the client side receives this confirmation code, it is able to determine that the previously delivered packet has been properly received. headerlength First Minister reserved reserved bit Eight there are currently 6 TCP flag bits & nbsp URG Emergency pointer 0 Invalid 1 effective ACK used to indicate whether the confirmation number is valid & nbsp PSH push, once used for push is absolutely unable to stay in the buffer, must be sent to the kernel immediately, requires kernel-first message RST reset reseT link jitter when not much to explain meaning to us little. If the RST is 1, the joint opportunity is immediately terminated without waiting for the termination confirmation. This means that this is a forced end of the online and the sending side is disconnected. SYN The first request for the establishment of a sync request is sent by the fin The first of the Sent links windows size Sliding window sizes Above serial number has been introduced ? Checksum (Confirm check code) urgent pointer optiondata for TCP data There may be application layer messages. A real message possible real data volume is very small, for a data the HTTP protocol of the application layer above, for TCP, the front is the data for encapsulation, for IP packet encapsulation, the front is the data. For Ethernet, the front is the data, frame header How these data can be converted to a network to send data format have the file format have Binary format tcp Three-time handshake Four ports different status three-time handshake a host with B host default everyone is closed state, TCP state The first message that the a host sends to the B host request is the active open from the closed. B host receives a first SYN request message from closed to lisetened State is passive open,  A host sends request message to Host B for the first time syn=1 &N bsp;ack=0 B host first reply to host a message because it is the first SYN must be 1 ack plus one SYN =1 ACK=1B host Sent to a host state from listen to SYN_RECD a Host receives the first reply of Host B from active open state to Syn_send status b receive a reply again becomes established & nbsp; finite state machine: All TCP status four disconnects client send message contains fin disconnect flag to send shutdown request called active shut-off party, active shut-off party send fin, active side becomes timewait1 Passive shut-off party from established response ACK . The passive side begins to enter closed wait for the passive shut-off party to send fin again to this between closedwait the active side is accepted to the passive side of the fin is timewait2 the reply ACK but it cannot be closed immediately Twice times the MSL time to closed the passive shut-off party to accept the ACK becomes closed This process state is last_ack these states are called TCP state transitions And the transfer mechanism of these States is called TCP's finite state machine through we know TCP firewall What is firewall: rules: matching standards working on the edge of the host or network, the data packets in and out, in accordance with the standard in the pre-defined rules A line check that, once a defined rule is triggered, a series of components that follow the actions defined by the rule. firewalls: Hardware software: Rules (matching standards approach)  &NBSP ; Fire protection is the rule Firewall is a framwork, framework. can be purely hardware can make pureThe level of software default rules: Full development  : Jam Ancient arresting portraits &NB Sp or full shutdown: Pass There are tokens available through rules: Match criteria IP:SIP DIP Tcp:sport dport can also be tagged according to the flag bit tag match &N BSP; For example first time syn=1 ack=0 rst=0 fin=0 Second handshake syn=1 ack=1 fin=0 rst=0 Third handshake that is established ack=1 S Yn=0 rst=0 fin=0 udp:sport DPORT & nbsp icmp:icmp_type Using message tokens, such as ping Gateway unreachable Host not in line request Timeout host cannot parse & nbsp Filtering of incoming and outgoing messages according to the matching criteria is a firewall data packet filtering Linux kernel for network functions, Rules can not be placed in the user space, so is in the kernel, but the user can not deal with the kernel, so someone chose such a mechanism, in the TCP/IP implementation of the location, these positions are open, open to the user space of a command, this command abbreviation of the rules will be immediately sent to the kernel tcp/ The number of locations of the IP protocol stack. User-designed commands A location with the kernel, these two kernel-called working frameworks, commands called user management tools, Set up a mechanism in the kernel, This mechanism produces several system calls these systems fall out of a particular application to complete the system call. Of course, not all applications can deal with the kernel. Some mechanisms can be achieved, such as mkdir can deal with the hard disk kernel mechanism Linux 2.0 reference OpenBSD porting command ipfw/mechanism firewall linux2.2 Commands ipchain/firewall Linux 2.4   ; iptables/netfilter for 2.4 NetFilter is the place where the kernel can square the rules And iptables is the command application that can generate system calls, placing rules in the kernel iptales is comprised of four 5-table chains So we filter the places where messages must be placed First IP packet through the Ethernet card, to unpack the frame, to the TCP stack processing, first to see the IP header, the source IP destination IP, is the machine sent to the machine, not the machine needs to be forwarded, such as we turn on the native forwarding function/proc/sys/net/ipv/ip _forward messages that are forwarded natively will not allow the TCP IP stack to be forwarded to the native yoghurt space to deal with the application. How many kinds of flow are there? 3 seed Flow packet   1 from outside to local internal, 2 requests from inside the internal machine 3 from outside to forward to outside In these three locations must go through a location TCP/IP protocol stack has a routing table for routing decisions as long as the access to the local network card packets, first of all Yao Lu by the decision is to enter into the internal or forward. These locations are several hook functions hocks:function Hook functions Any messages passing through these positions are to be beaten by hooks and then executed once they are satisfied. In fact, there are two locations. The hook function is the change that is made before the routing table decision is made before the exit Nic goes out before it is sent out after the access card has been routed. Route conversion When there is a net reply table in the internal router transformation is the message just entered the machine's flash will be changed, otherwise if not change the routing decision has been decided, do not have to wait out the time to come and change, hock function: Hook functions prerouting &NB Sp input output forward postrouting can place rules in each hook position function, rules are more like chains, so there are five rule chains regular chain: prerouting &N Bsp   INPUT output forward Postrouting filter ( Filter function): Table These three chains of this feature are equivalent to tables So commands are called iptables INPUT&NBS P output Forward nat (address conversion): & nbsp prerouting OUTPUT chain can also be implemented & nbsp postrouting There are actually two tables mangle (take the message apart, and then sew it up): The other headers of the main modification message such as TTL value can be performed on five chains & nbsp prerouting input output &NB Sp forward Postroutingrow (no changes, revert to original): The table is neither internal nor forwarded, nothing is done can only be placed on two links prerouting output& nbsp; Summary: Iptales is composed of four tables 5 chains as on the same chain can prevent different tables, that can, cross-use it? No, the functions of these tables are not the same, they can not be put although can not be cross-stored, but the class may be stored separately. what is the priority? Prerouting:1 Raw 2 mangle 3 natinput:1 mangle 2 filteroutput:1 Raw 2 mangle 3 Nat 4filterforward:1 M Angle 2 filterpostrouting:1 mangle 2 nat like 500 rules can we categorize the rules and use custom chains? such as Web classes and MySQL classes or SSH classes can be customized, but must be the default chain is called after the custom send action such as 500 too many, Extract such as 200-400, when the front 200 processing 201, jump action, to extract, if not matched to, and then jump back, continue to go down What needs to be streamlined? For example, only those who have access to Web services are independent, Use of custom chains is also a &nb to improve efficiency Sp Only those of the same kind can so can use the custom chain, but can only be called when the function, and if there is no custom connected to the rule matching, there will be a return mechanism. User can delete a custom space love Default chain cannot be removed each rule has two built-in counters The number of messages that are matched to a record A record is matched by the sum of the size of the packet rules: matching criteria, handling actions not to be continued ....
Iptables IP Packet TCP message TCP three-time handshake four-port finite state machine State transfer
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
