Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
linux_router:netfilter [2024-06-23 Sun wk25 08:54] – [Relationships Between Chains and Tables] baumkp | linux_router:netfilter [2024-06-23 Sun wk25 09:11] (current) – baumkp | ||
---|---|---|---|
Line 46: | Line 46: | ||
| | ||
</ | </ | ||
+ | |||
+ | |||
+ | =====IPTables and Netfilter===== | ||
+ | The following is taken from Digitalocean [[https:// | ||
+ | |||
+ | ++++ tldr| | ||
+ | |||
+ | ====IPTables Tables and Chains==== | ||
+ | |||
+ | The '' | ||
+ | |||
+ | Within each '' | ||
+ | |||
+ | The names of the built-in chains mirror the names of the '' | ||
+ | *'' | ||
+ | *'' | ||
+ | *'' | ||
+ | *'' | ||
+ | *'' | ||
+ | |||
+ | Chains allow the administrator to control where in a packet’s delivery path a rule will be evaluated. Since each table has multiple chains, a table’s influence can be exerted at multiple points in processing. Because certain types of decisions only make sense at certain points in the network stack, every table will not have a chain registered with each kernel hook. | ||
+ | |||
+ | There are only five '' | ||
+ | |||
+ | ====Which Tables are Available? | ||
+ | |||
+ | Let’s step back for a moment and take a look at the different tables that '' | ||
+ | |||
+ | ===The Filter Table=== | ||
+ | The filter table is one of the most widely used tables in '' | ||
+ | |||
+ | ===The NAT Table=== | ||
+ | The '' | ||
+ | |||
+ | ===The Mangle Table=== | ||
+ | The '' | ||
+ | |||
+ | This table can also place an internal kernel “mark” on the packet for further processing in other tables and by other networking tools. This mark does not touch the actual packet, but adds the mark to the kernel’s representation of the packet. | ||
+ | |||
+ | ===The Raw Table=== | ||
+ | The '' | ||
+ | |||
+ | The '' | ||
+ | |||
+ | ===The Security Table=== | ||
+ | The '' | ||
====Relationships Between Chains and Tables==== | ====Relationships Between Chains and Tables==== | ||
Line 54: | Line 100: | ||
A few things should be noted. In the representation below, the '' | A few things should be noted. In the representation below, the '' | ||
- | |<65em 15em 10em 10em 10em 10em>| | + | |<55em 15em 8em 8em 8em 8em>| |
^Tables/ | ^Tables/ | ||
|(routing decision) | |(routing decision) | ||
Line 78: | Line 124: | ||
If we combine the above information with the ordering laid out in the previous table, we can see that an incoming packet destined for the local system will first be evaluated against the **PREROUTING** chains of the **raw**, **mangle**, and **nat** tables. It will then traverse the **INPUT** chains of the **mangle**, **filter**, **security**, | If we combine the above information with the ordering laid out in the previous table, we can see that an incoming packet destined for the local system will first be evaluated against the **PREROUTING** chains of the **raw**, **mangle**, and **nat** tables. It will then traverse the **INPUT** chains of the **mangle**, **filter**, **security**, | ||
+ | ==== IPTables and Connection Tracking==== | ||
+ | |||
+ | We introduced the connection tracking system implemented on top of the '' | ||
+ | |||
+ | Connection tracking is applied very soon after packets enter the networking stack. The '' | ||
+ | |||
+ | The system checks each packet against a set of existing connections. It will update the state of the connection in its store if needed and will add new connections to the system when necessary. Packets that have been marked with the '' | ||
+ | |||
+ | ===Available States=== | ||
+ | |||
+ | Connections tracked by the connection tracking system will be in one of the following states: | ||
+ | |||
+ | *'' | ||
+ | *'' | ||
+ | *'' | ||
+ | *'' | ||
+ | *'' | ||
+ | *'' | ||
+ | *'' | ||
+ | |||
+ | The states tracked in the connection tracking system allow administrators to craft rules that target specific points in a connection’s lifetime. This provides the functionality needed for more thorough and secure rules. | ||
+ | ++++ | ||
====Some references==== | ====Some references==== |