Linux Firewall detailed analysis

In the research and analysis of network security, the firewall (Firewall) is often emphasized, its basic function is filtering and may block the local network or a part of the network and the Internet Data Transfer (packet). A packet is actually a piece of data that includes the information necessary to send them to their respective destinations. You can imagine the packet as a parcel: the packet itself is the data in the parcel, and the envelope is all the letterhead used to send the information to the correct machine and the correct program, and it also contains information about the return address. During its specific filtering work, the firewall takes over the routing settings that previously accessed the Internet from within the network and accessed the internal network from the Internet.

Our feeling is that the previous firewall was designed to filter out some illegal packets, or why one of these types is called a packet-filtering firewall? Development up to now, its function is increasing, not only can filter packets, also can make network address conversion, acting, etc. Firewall implementation in Linux kernel 2.4 netfilter that's it.

Take a look at the location of the firewall, my understanding is that either it is mounted on a single machine as a personal firewall, or it is installed on a single machine to provide a gateway for a LAN, and the latter is shown in the following illustration:

This diagram summarizes the NetFilter frame structure diagram installed in the net, from which you can see a path that a packet may pass through, in which the [] expanded Dongdong, called checkpoint, stops for some checking when the packet reaches this point. The name of the checkpoint here is the name in Iptables, which may be changed to the so-called hook function in NetFilter.

NetFilter that it has the following three basic features:

1. Data Filter (filter table)

2. Network address Translation (NAT table)

3, packet processing (mangle table)

According to these three features, the above five checkpoints are categorized by function. Since each feature corresponds to a table in NetFilter, and each checkpoint has several matching rules, which form a chain, the following is said: "NetFilter is the container of the table, the table is the container of the chain, and the chain is the container of the rules."