Use of the new packet filtering structure in Linux2.4 kernel

Article Title: Use of the new package filtering structure in Linux2.4 kernel. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
　　 1. how to filter packets through (traverse)
The kernel starts from the three lists (lists) in the "filter" table. these three lists are called firewall chains (firewall chain) or chains (chain ). The three links are INPUT, OUTPUT, and FORWARD.
This is very different from the 2.0 and 2.2 kernels.
Shows the chains:
_____
Incoming/\ Outgoing
--> [Routing] ---> | FORWARD | ------->
[Demo-] \ _____/^
|
V ____
___ // \ | OUTPUT |
| INPUT | \____/
\ ___/^
|
----> Local Process ----
Three circles represent the preceding three chains. when a package arrives at one of the chains, the corresponding chains will be tested (examined) to determine how to deal with the package. If the chain thinks the packet should be dropped, it will be discarded; if the chain thinks it should ACCEPT the packet, it will continue to traverse in the figure.
A chain is actually a checklist of many rules ). The format of each rule is like this: "If the package header is like this, handle the package like this ". If the rule settings do not match the package, the rule will be processed by the next rule in the chain. Until there are no remaining rules for reference at the end, the kernel will decide how to deal with them based on the chain policy. In a secure system, the kernel is usually required to discard the package.
(1) when a package enters (assuming it is through the Ethernet NIC), the kernel first looks at the packet destination (destination): This is called routing ).
(2) if the destination address is the local machine, the package will be directed to the INPUT chain as shown in the following figure. if it can pass, it will go to the subsequent package processing process.
(3) Otherwise, if the kernel does not enable the forwarding function or does not know how to forward the package, the package will be discarded. If the forwarding function is enabled and the package points to another network interface (if the network is connected to another network), the package will be directed to the FORWARD chain as shown in the following figure. If the package is not accepted, it will be sent out.
(4) Last case: a program running on the local machine sends a network package, and the package directly passes through the OUTPUT chain. if it is accepted, the package will be sent to the network interface specified by the package.
　　
　　 II. use iptables
Iptables is useful. The three built-in (built-in) chains mentioned above: INPUT, OUTPUT, and FORWARD cannot be deleted. Let's take a look at how to manage the entire chain:
(1) create a new chain (-N)
(2) delete an empty chain (-X)
(3) change a built-in chain policy (-P)
(4) list rules in a chain (-L)
(5) understand all the rules in a chain (-F)
(6) replace the byte counter of all the rules in a chain with zero (-Z)
The following operations are used to manage rules in a chain:
(1) append A new rule to A chain (-)
(2) insert a new rule at a specified position in the chain (-I)
(3) Replace a rule with a specified position in the chain (-R)
(4) delete a rule at a specified position in the chain (-D)
(5) delete the first rule in the chain (-D)
　　
Processing during machine startup
The iptables module is named "iptable_filter.o". iptables is automatically loaded when it is run for the first time. It can also be permanently built in the kernel.
Before running any iptables commands (note that some release versions may use their initial commands to run iptables), built-in chains (INPUT, OUTPUT, and FORWARD) will not carry any rules, all links are set to ACCEPT. You can change the default forward chain policy by setting the iptable_filter module option to "FORWARD = 0.
　　
Single Rule operation
The most common commands may be append (-A) and delete (-D). other commands such as insert (-I) and replace (-R) are just extensions of them.
Each rule limits a set of conditions to compare specific packages. It also specifies the processing when the package matches the set conditions (that is, the target "). For example, to discard all ICMP packets from the 127.0.0.1 IP address, set the condition to: the protocol must be ICMP and the source address must be 127.0.0.1, and the target should be set to "DROP ".
127.0.0.1 is called the loopback interface. this interface is available even if the machine does not have a real network connection. You can use the "ping" command to generate such a packet (it only sends an ICMP packet whose type is 8, that is, the response request, all the collaborative hosts that are willing to respond will return an ICMP packet whose type is 0, that is, the response ). This command is often used for testing.
# Ping-c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq = 0 ttl-64 time = 0.2 ms
　　
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 packets provisioned ed, 0% packet loss
Round-trip min/avg/max = 0.2/0.2/0.2 MS
# Iptables-a input-s 127.0.0.1-p icmp-j DROP
# Ping-c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
　　
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
#
Here we can see that the first ping is successful (here the parameter "-c 1" tells ping to send only one packet ).
Add a rule for the INPUT chain to send the ICMP packet from 127.0.0.1 (-s 127.0.0.1) to the target DROP (-j DROP ).
Then, use the second ping command to test the rule. The program will wait for a period of time and give up waiting for response after timeout.
There are two ways to delete a rule. You can delete the only rule in the preceding example as follows:
Method 1: specify a location for deletion:
# Iptables-d input 1
#
In this way, the first rule is deleted from the INPUT chain.
The second method is the same as the above-A command, but uses-D instead of-. This method can be used if the chain has complicated rules and you do not want to delete them by row.
# Iptables-d input-s 127.0.0.1-p icmp-j DROP
#
In A command line, the syntax of-D must be the same as that of-A (or-I, or-R. If there are multiple identical rules in the same chain, only the first rule that meets the condition is deleted.
　　
Filter
The preceding section describes how to use "-p" to specify the protocol and "-s" to specify the source address. In addition, some other options are used to specify the features of a packet. The following is a detailed description.
　　
Specify source and destination IP addresses
You can use four methods to specify the source ("-s" or "-- source" or "-- src ") and the destination ("-d" or "-- destination" or "-- dst") IP address. The most common method is to use a complete name, such as "localhost" or "www.linuxhq.com ". The second method is to specify its IP address, such as "127.0.0.1 ".
Methods 3 and 4 allow you to specify a group of IP addresses, for example, "199.95.207.0/24" or "199.95.207.0/255.255.255.0 ", both settings specify all IP addresses from 199.95.207.0 to 199.95.207.255, and the "/" symbol after the number is used to tell the system which IP address is valid. "/32" or "255.255.255.255" is the default value (that is, all IP addresses meet the conditions ). It is also feasible to use "/0" to specify all IP addresses, for example:
# Iptables-a input-s 0/0-j DROP
#
However, this method is rarely used, because the effect of the above Command is the same as that of the "-s" command.
　　
Reversely specified
Many logos, including "-s" (or "-- source") and "-d" (or "-- destination"), you can add "! "Symbol to specify all addresses that are NOT specified. For example, "-s! Localhost "indicates all packages of flying capital hosts.
　　
Protocol
The protocol can be specified with the "-p" (or "-- protocol") flag. The protocol can be a number (if the user knows the corresponding IP protocol value) or a protocol string, such as "TCP", "UDP", or "ICMP. The protocol string is case-insensitive.
You can also add "! "Symbol to get food. For example, "-p! TCP "specifies all non-TCP packets.
　　
Specified interface
Use the "-I" (or "-- in-interface") and "-O" (or "-- out-interface") options to specify an interface. An interface is a physical device that enters ("-I") or sends ("-O. You can use the ifconfig command to list which interfaces are enabled ("up.
The package that passes through the INPUT chain does not pass the output interface, so it does not match any rule that uses the "-O" option in the chain. Similarly, a package that passes through the OUTPUT chain does not pass the input interface, so it does not match any rule that uses the "-I" option in the chain.
Only packets that pass through the FORWARD chain can pass both the input and output interfaces.
It is completely legal to specify an interface that does not exist. this rule will not be compared before the interface is enabled ("up. This is very useful for PPP (usually ppp0) or similar connections.
If an interface ends with a "+", it represents all interfaces starting with this string (whether or not they are enabled ). For example, to create a rule to match all PPP interfaces, you can use the-I PPP + option.
You can use "! To specify a package that does not match the specified interface.
　　
Fragements)
Sometimes, a package may be too large to be transmitted at a time. in this case, the package will be split into fragments and transmitted using multiple packets. At the receiving end, these fragments are reorganized to restore the entire package.
The first starting segment contains the entire packet header (IP + TCP, UDP, and ICMP) for inspection, however, subsequent packages only contain a small part of the packet header (IP addresses without additional protocol items ). In this way, the protocol headers of subsequent fragments cannot be checked (for example, extended by TCP, UDP, and ICMP ).
If you want to track or translate the network address (NAT), all the fragments will be merged before being passed to the packet filtering, so you don't need to worry about the segment issue.
However, it is very important to figure out how filtering rules process fragments. If the information to be viewed cannot be obtained for any rule, it will be processed as a mismatch. That is to say, the processing of the first segment package is the same as that of other packages, but this is not the case for the second and later segments. Then, a-p TCP-sport www (specifying the source port as "www") rule will never match the segment (except the first segment)