中国华夏黑客联盟 （转帖二篇）项余岸，天堂还有中国

[gy3gt1sh0og]

| Back to logs list

22128020 2009 年 03 月 26 日 13:47 Reading (loading. ..) Comments (0) Category: Computer Related
3 . tables and chains
this chapter we discuss in what order packets, and how through different chains and tables. Later, when you write your own rules,timberland boots sale, you know how important this order. Some components are shared with the kernel iptables, for example, determine the routing of data packets. Knowing this is very important, especially if you use iptables to change the routing of data packets. This will help you to understand how and why the packet was routed as a good example of this is DNAT and SNAT, do not forget the role of the TOS.
3.1. Overview firewall
When a packet arrives, if the MAC address match, will the kernel receives the appropriate driver, and then will go through a series of operations, which decision was sent to the local program, or forwarding to the other machine, or anything else.
us first look locally for the purpose of a data packet, it has to go through the following steps to get the program to receive it:
words below have mangle, I really did not think what the right words to express this mean, just because my English is bad! I understand I can only write out. The word to say is, would the data packet transmission characteristics of some changes in the mangle table allows the operation is TOS, TTL, MARK. In other words, in the future as long as we can understand the word to see its role on the line.
Table 3-1. to the local target (that is our own machine a) of the package
Step (step) Table (Table) Chain (Chain) Comment (comment)
1 online road transport (such as , Internet)
2 into the interface (for example, eth0)
3 mangle PREROUTING chain is used to mangle the packet, such as changing TOS and so
4 nat PREROUTING chain is mainly used to do the DNAT. Do not worry too much action in this chain, because it will be bypassed in some cases in the past.
5 Routing decision, ie, packets are sent to local, or to forward.
6 mangle INPUT in the route, before being sent to the local program, mangle packets.
7 filter INPUT for the purpose of all local packages to go through this chain, no matter where they came from, filter for these packages is located here.
8 to reach a local program (for example, service program or client program)
attention than before (Translator's Note: means ipchain) packet is now over by the INPUT chain, not the FORWARD chain. This is more logical. Just may seem subtle, but think about would be understood why the.
Now we look at the source address is local control of the package to go through the steps:
Table 3-2. to the local as the source of the package
Step Table Chain Comment
1 local applications (such as service program or client program)
2 routing decision, to use the source address, the outgoing interface, there are other information.
3 mangle OUTPUT can mangle packets here. Filtering is not recommended to do here, it may have side effects, oh.
4 nat OUTPUT chain on the firewall itself from the packets sent DNAT operation.
5 filter OUTPUT on the local issue of the packet filter.
6 mangle POSTROUTING this chain DNAT mainly in the bag after (Translator's Note: The authors called this a practical route DNAT, although there is a route in front. For the local package, once it is formed, it must be handle the routing code, but this package specific to where to go, to be processed by the NAT code to be determined. So this is called the actual route.), leaving the local before the package mangle. There are two packages will pass through here, where the firewall machine itself the package, as well as being forwarded packets.
7 nat POSTROUTING doing here SNAT. But do not do filtering here, because there are side effects, and some packages will slip past, even if you use the DROP policy.
8 to leave the interface (for example: eth0)
9 online road transport (eg, Internet)
In this example, we assume that the purpose of a package is another one of these machines in the network. Let's look at this package trip:
Table 3-3. Is forwarded packets
Step Table Chain Comment
1 online road transport (eg, Internet)
2 into the interface (for example, eth0)
3 mangle PREROUTING mangle packets, such as changing TOS and so on.
4 nat PREROUTING chain is mainly used to do the DNAT. Do not worry too much action in this chain, because it will be bypassed in some cases in the past. Later will do SNAT.
5 Routing decision, ie, packets are sent to local, or to forward.
6 mangle FORWARD packets to be sent to the mangle table of the FORWARD chain, which is very exceptional circumstances will be used. Here, the packet is mangle (meaning you remember mangle). The mangle in the first after a routing decision, a change in the final purpose of the package before (Translator's Note: The following FORWARD chain is made, because filtering may change the destination of some packages, such as discarded packets .)
7 filter FORWARD packets to be sent to this FORWARD chain. Package will be forwarded only to come here, and all the filters for these packages are here. Note that all packets must be forwarded through here, whether it is outside the network to the network or internal network to external network. Write your own rules, to take this into account.
8 mangle POSTROUTING chain is for this specific type of package (Translator's Note: Refer to Step 6, we can find,timberland kids, in the forward packet, mangle table of the two chains are used in special applications.) This step mangle all the changes in the packet's destination address of the operation is completed to do, but this time the package is still local.
9 nat POSTROUTING SNAT in this chain is used to do, of course,cheap timberland boots, including the Masquerade (camouflage). But do not do filtering here, since some of the packages even if does not meet the conditions will be adopted.
10 to leave the interface (for example: eth0)
11 and transmitted on the line (eg, LAN)
as you can see, packets go through many steps, and they can be blocked at any one chain , or any problem areas. Our main interest is an overview of iptables. Note that the different interface, is no special chains and tables. All go through the firewall / router to forward the packet to go through the FORWARD chain.
Caution
In the above case,timberland uk, the do not do the filtering in the INPUT chain. INPUT is devoted to the operation of the machine that our address for the purpose of the package, they will not be routed to other places.
Now, let's take a look at these three cases, which used a different chain. Shown as follows:
to figure out the chart above, can be considered. Routing decision in the first place, is not destined for the local package, we will send it through the FORWARD chain. If the packet is destined for the IP address of the local listener, and we will send the packet through the INPUT chain, and finally to the local.
is worth noting that,timberland boots, in the process of doing NAT, the packets sent to the local destination address may be changed in the PREROUTING chain. This operation occurs before the first route, so the address is changed, in order to route the packet. Note that all packets are of a path through the image above. If you DNAT a packet back to its original network, the packet will continue to finish the rest of the chain of the corresponding path, until it is sent back to the original network.
Tip
want more information, see rc.test-iptables.txt, the script includes a number of rules, they will show you how the package is through the various tables and chains.
3.2. mangle table
This table is mainly used to mangle packets, you can use the mangle matches to change the TOS and other characteristics of the package.
Caution
strongly recommend that you do not do any filtering in this table, whether it is DANT, SNAT or Masquerade. The following is the mangle table
the few operations:
*
TOS
*
TTL
*
MARK
TOS operation used to set or change data type of service package field. This is used to set the packet on the network how the routing strategy. Note that this operation is not perfect, and sometimes Debu want. It can not be used on the Internet, and many routers do not notice this threshold. In other words, do not set the package sent to the Internet, unless you intend to rely on TOS to route, such as using iproute2.
TTL operation used to change the survival time of the packet domain, we can all only a special data packet TTL. Its presence has a good reason,womens timberland boots, that we can fool some of ISP. Why should we deceive them? Because they do not want to let us share a connection. ISP will find that a separate computer is using a different TTL, and to determine whether the connection as a sign of being shared.
MARK packets used to set special mark. iproute2 can identify these markers, and according to different markers (or not marked) to decide a different route. We can do with these markers bandwidth limitations and the classification based on the request.
3.3. nat table This table is only used
NAT, that is, converted packet source or destination address. Note that, as we said before, only the first packet stream will be the chain match, then the package will automatically do the same treatment. The actual operations are divided into the following categories:
*
DNAT
*
SNAT
*
MASQUERADE
DNAT operations are mainly used in such a situation, you have a legitimate The IP address, access to the firewall should redirect to another machine on (eg DMZ). In other words, we change the destination address so that packets can be re-routed to a host.
SNAT changes the source address, which to a large extent can hide your local networks or DMZ, etc.. A good example is that we know of the firewall external address, but must replace this address with the local network address. With this operation, the firewall can automatically do SNAT of packets and De-SNAT (that is the reverse of the SNAT), so that the LAN can connect to the Internet. If you use an address like 192.168.0.0/24 that is not going to get any response from the Internet. IANA defined as those networks (and others) as private, only for the internal LAN.
MASQUERADE MASQUERADE exactly the same role and is only slightly more load on the computer. Because each matching package, MASQUERADE for available IP address to be, rather than using the IP address SNAT configured. Of course, this is also good that we can use through the PPP, PPPOE, SLIP, etc. get dial-up address, these addresses from the ISP's DHCP, but randomly distributed.
3.4. Filter Table
filter table to filter data packets, we can match the package at any time, and filter them. We are here the contents of the package according to the package to do the DROP or ACCEPT. Of course, we can also do some pre-filtering in other places, but this table is designed to filter. Almost all of the target can be used here. Large number of specific presentation in the back, now you need to know the filtering work done here is mainly on the line.