Netfilter for Linux Firewall

About Netfilter

The packet filtering firewall in Linux can run on the 2.4 and 2.6 kernels. It is integrated into the kernel and is not a daemon process of the system. It processes Layer 2, 3, and 4 of the OSI model; only data headers can be processed; rules can be configured with the iptables command; instead of ipchains; more resources can be found from the http://www.netfilter.org.

Basic Netfilter compilation options

To run iptables, You need to select the following options during Kernel configuration, whether you use make config or other commands.
Enable some important options in the Kernel configuration file, including Netfilter connection tracking, logging, and packet filtering. Remember that iptables uses the kernel framework provided by Netfilter to establish a policy ).
There are two additional Configuration options in Network Packet Filtering FrameworkNetfilter-Core Netfilter Configuration) and IP: Netfilter ConfigurationIP: Netfilter Configuration ).

Core Netfilter Configuration

Some of the core Netfilter configuration options should be enabled:
Comment match supportcomment match supported );
FTP suppftp FTP protocol support );
Length match support supports packet Length matching );
Limit match supportLimit match );
MAC address match supportMAC address match );
MARK target supportMARK );
Netfilter connection tracking supportNetfilter connection tracking );
Netfilter LOG over NFNETLINK interfaceNetfilter records logs through the NFNETLINK Interface );
Netfilter netlink interfaceNetfilter netlink Interface );
Netfilter Xtables supportNetfilter Xtables );
State match supportstate matching supported );
String match supportstring matching supported );

IP: Netfilter Configuration

ECN target supportECN target support );
Full NAT support );
IP address range match supported by supportip address range match );
IP tables supportIP tables support, required for filtering/masq/NAT );
IPv4 connection tracking supported by supportIPv4 connection Tracing, required by NAT );
LOG target supported by supportLOG );
MASQUERAD target supportMASQUERAD target support );
Support for Owner match supportowner matching );
Filtering of Packet filtering packages );
Support for Packet mangling package modification, which is often used to change the package route );
Raw table supportRAW table support, required by NOTRACK/TRACE );
Recent match supportrecent match is supported );
REJECT target supportREJECT target support );
TOS match supportTOS matching );
TOS target supportTOS );
TTL match supportTTL matching supported );
TTL target supportTTL target support );
ULOG target supported by supportULOG );

Position where Netfilter works

Netfilter exists in Linux as a module. Every time Linux has one more Netfilter module, it indicates that the function of the Linux firewall is added. Of course, its function also increases. The modules in the/lib/modules/2.6.18-164. el5/kernel/net/ipv4/netfilter directory can only work in the IPv4 network environment, as shown in:

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "668" height = "320" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0912095R7-0.jpg" alt = "01 (1)" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "title =" 01 (1) "/>

The modules in the/lib/modules/2.6.18-164. el5/kernel/net/ipv6/netfilter directory can only work in the IPv6 network environment, as shown in:

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "668" height = "320" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/09120953H-1.jpg" alt = "02" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "title =" 02 "/>

The modules in the preceding two directories share a common feature related to the "protocol". Therefore, when using these modules, you must pay special attention to which modules can only be used under which protocol. Since Linux 2.6.14, the Netfilter module included in Linux has undergone major changes in its design. The Netfilter organization hopes that the module has nothing to do with the protocol, so it seems that some modules can meet this requirement. The path is/lib/modules/2.6.18-164. shows el5/kernel/net/netfilter:

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "668" height = "320" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0912093355-2.jpg" alt = "03 (1)" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "title =" 03 (1) "/>

Command structure of Netfilter

After understanding the structure of Netfilter, we should be clear that the above modules only provide some filter matching functions. If we want Netfilter to do something for us, then we need to execute the "rule" for Netfilter. With the rule, Netfilter will know which packets are acceptable and which packets must be removed, which packets must be processed in special ways. The Netfilter rule is provided to fill in a structured memory, so that Netfilter will be executed according to the commands given by the firewall administrator. This memory is commonly known as a table. A table is the largest set of firewalls, including chains and rules. A table includes a filter table. nat is used for address translation. mangle is also known as a correction table and a RAW table. A chain is a set of rules.
Match: MET conditions, such as the source address and port.
Method: Process conditions, such as accept and drop.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "589" height = "201" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0912093636-3.jpg" alt = "04" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "title =" 04 "/>

　　FilterA table is the most important mechanism in Netfilter. Its task is to filter data packets, that is, the firewall function. It includes the INPUT, OUTPUT, and FORWARD chains, used to process input, output, and forwarding packets. The filter table is the default table.
NATNetwork Address Translation) is also an indispensable and important mechanism on the firewall. Its functions are similar to IP Address sharing, but the corresponding functions are more powerful. It is used to process network address translation. Contains functions related to masquerading), including PREROUTING routes), and POSTROUTING routes), and OUTPUT outputs are rarely used. There are three links in total.
MangleThe table is used to handle the correction of special packets, including two links (before routing) and after the POSTROUTING route ). Mangle tables are often used in traffic control and Qos applications.
RAWTable is responsible for accelerating the speed of data packet forwarding through the firewall mechanism to improve the firewall performance.

Filter mechanism of Netfilter

As the firewall classification in Netfilter, Filter first needs to define the "Packet Classification", as shown in, assuming that there are two NICs installed on the computer and the Httpd and Firefox programs are executed on the computer respectively.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "855" height = "507" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0912093427-4.jpg" alt = "05 (1)" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "title =" 05 (1) "/>
INPUT type: The INPUT type refers to data packets sent from other hosts on the network to the Local Process, for example, this type of data packet is generated when other users on the network access the local HTTPD service.
OUTPUT type: If it is the data packet generated by the local Process, that is, the OUTPUT data packet. For example, this type of packets is generated when the user enables Firefox on the machine to access other hosts on the network.
FORWARD Type: If the data packet is "passing" on the local machine, it is a FORWARD type data packet. When the role of the local machine executes the Router, there will be a FORWARD data packet.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "1135" height = "404" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0912092C7-5.jpg" alt = "07 (1)" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "title =" 07 (1) "/>
INPUT chain: When we need to protect the HTTPD Process of the local machine, we should select INPUT data packets. For example, we can describe in the INPUT chain: "If the incoming packet is sent to the TCP Port 80 of the local machine, and the packet is sent by the host 192.168.2.1, the packet will be discarded ", so as to protect the Httpd Process. Therefore, the INPUT chain is used to store rules for filtering INPUT data packets. That is to say, the INPUT chain is used to "protect" the local machine.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "1134" height = "454" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0912094612-6.jpg" alt = "09 (1)" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "title =" 09 (1) "/>
OUTPUT chain: If we want to restrict users from browsing www.163.com on Firefox on the "Local Machine", we need to restrict OUTPUT data packets. The description in the OUTPUT chain is as follows: "If a packet is generated by the local Process and sent to TCP Port 80 of www.163.com, the packet is discarded ." Therefore, the OUTPUT chain is used to store rules for filtering OUTPUT data packets, that is, the OUTPUT chain is used to "restrict" The Connection Mechanism of local applications.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "1136" height = "409" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0912093029-7.jpg" alt = "08 (1)" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "title =" 08 (1) "/>
FORWARD chain: As shown in, if the firewall in the figure is used to protect the WEB Server, we should limit the FORWARD type of data packets. Therefore, we can describe in the FORWARD chain as follows: "If the data packet is sent by the host 192.168.2.10, and the packet is sent to the TCP Port 80 of the WEB Server, then the packet is discarded." Therefore, the FORWARD chain is used to store rules for filtering FORWARD data packets, that is, the FORWARD chain is used to protect the hosts behind the firewall.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "393" height = "145" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/09120aB3-8.jpg" alt = "Forward" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "title =" Forward "/>

Rule matching

Rules are matched in order. When the first rule matches, DROP, ACCEPT, REJECT), the chain is usually exited. The rules can also be matched multiple times. For example, if the LOG rule is earlier than the rule, the ACCEPT will also match. If the matching rule cannot be detected, the default chain policy will take effect. There are two basic principles for setting a firewall policy: disabling everything by default and explicitly allowing selected packets to pass through. It is recommended); by default, everything is open, and the selected packets are explicitly prohibited from passing through. As shown in:

 

 

 

 

 

 

 

 

 

 

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'width = "748" height = "634" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/0912096440-9.jpg" alt = "10 (1)" style = "border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px; "title =" 10 (1) "/>

This article is from the "virtual reality" blog. For more information, contact the author!