The process of passing a packet through a firewall

Source: Internet
Author: User

There are three scenarios when a packet passes through a firewall:

1. Local-Targeted packages

When a packet enters the firewall, if the destination address is native, the order in which the firewall is checked is as follows:

If a packet is discarded at one step, no subsequent checks are performed

Steps Table Chain Description
1 Data packets are transmitted on the link
2 Packet into the network interface
3 Mangle Prerouting This link is used to mangle packets, such as overwriting or marking a package.
4 Nat Prerouting This chain is mainly used for Dnat.
5 Routing, such as whether the packet is destined for local or forwarded
6 Mangle INPUT After routing, before being sent to a local program, such as overwriting or marking a package
7 Filter INPUT All local-purpose packages need to go through this chain, and the packet's filtering rules are set here
8 A packet arrives at a local program, such as a service program or client program

2. Local-sourced packages

The data packets emitted by the local application are checked by the firewall in the following order:

Steps Table Chain Description
1 Local programs, such as service programs or client programs
2 Route judgment
3 Mangle OUTPUT Used to mangle packets, such as overwriting or tagging a package
4 Nat OUTPUT Dnat operations on the emitted package
5 Filter OUTPUT Packet filtering is sent locally, and the packet filtering rules are set in this
6 Mangle Postrouting Making changes to the packet
7 Filter Postrouting To do snat here.
8 Packets Leave the network interface and transmit on the link

3. Forwarded Packets

Packets that need to be forwarded through the firewall are checked by the firewall in the following order;

Steps Table Chain Description
1 Data packets are transmitted over the link
2 Enter the network interface
3 Mangle Prerouting Mangle packets, overwriting or marking packages
4 Nat Prerouting This chain is mainly done Dnat
5 Routing, such as whether the packet is destined for local or forwarded
6 Mangle FORWARD

The package continues to be sent to the forward chain of the mangle table, which is a very special case

will be used, here, the package is mangle. This mangle happened in the first place.

Routing, before the last change to the purpose of the package

7 Filter FORWARD

The forward packet is intermittently sent to this forward chain, only the packets that need to be forwarded

To get here, and all the filtering for these packages is also done here, note that all

The forwarded packets are going through here.

8 Mangle Postrouting

This chain is also for some special types of packages, this step mangle is changed at all

The destination address of the package is done after the operation is complete, but the package is still locally

9 Nat Postrouting

This chain is used to make snat, it is not recommended to filter here, because some packages even

Conditions that are not met will also pass

10 Leaving the network interface
11 Data packets are transmitted over the link

When filtering the package, the following 3 actions are often performed.

(1) Accept: Once the packet satisfies the specified match criteria, the packet is accepted and no longer matches the other rules in the current chain or

Other rules within the same table, but the data still needs to be chained through other tables

(2) Drop: If the package meets the criteria, the packet is discarded and no information is returned to the sender, and no information is returned to the route

(3) REJECT: As with drop, the difference is in addition to discarding the package and returning an error message to the sender.

Examples are as follows:

where "policy DROP" indicates that the default rule for the chain is a DROP operation, such as an existing packet, the source address is

192.168.1.58, the destination address is 137.254.60.6, the Protocol is TCP, the destination port is 80, and when the packet passes through the forward chain,

To start the match from the top down, the process is as follows:

(1) 1th rule: source is 192.168.100.0/24, source address does not match

(2) The 2nd rule: The purpose is 69.147.0.0/24, the target does not match

(3) With 3rd rule: source is 172.16.0.0/16, source does not match

(4) With 4th rule: source is 10.0.0.0/24, source does not match

Since all of the above rules are not met, the packet is forwarded to the default rule processing because the default rule for this example is drop,

Because the packet is discarded,

Looking at another packet, the source address is 192.168.1.58, the destination address is 69.147.83.199, the Protocol is TCP, the destination port is 80, and the

When the packet passes through the forward chain, it starts from the top down:

(1) With 1th rule: source is 192.168.100.0/28, source does not match

(2) and 2nd rule: The source address is any (0.0.0.0/0), match; the destination address is 67.147.0.0/24

Because the 69.147.83.199 is within range, matches the source port and destination port, and the Protocol is arbitrary (all), matching: The rule chain to the

The action of the packet is accept, so the packet passes.

If the source address of the packet is 10.0.0.35, the destination address is 69.147.83.199, the Protocol is TCP, and the destination port is 80, when the packet

Through the forward chain, the match is started from top to bottom, when matched to the 4th rule, the action is Mychain, and the packet is

Go to user-defined rule chain mychain for processing

The process of passing a packet through a firewall

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.