返回列表 發帖
角色

Rank: 2
1# 跳轉到 » 倒序看帖
打印
tT
發表於 2019-2-17 11:26 | 只看該作者

Raspberry Pi —— Packet flows, firewalls and iptables

本帖最後由 角色 於 2019-2-26 22:23 編輯

如果你要明白多一些firewall的settings,我们必须明白network packet flows整个流程是怎样的,不然你很难知道怎样set某些rules等等问题,虽然题目用Raspberry Pi做test bed,但是原理可以应用到其他Linux products如RouterOS(MikroTik)。

想起以前学些RouterOS的时候,那么说的packet flows diagrams,根本看不懂它是怎样来,那么时候没有详细再研究了。最后有空用V2Ray,特别是讲述透明代理,里面有很多iptables commands,里面有很多iptables commands也看不懂,于是提起心肝看看其他资料,慢慢才开起明白firewall,packet flows,iptables的互相关系。

在启蒙我开起明白packet flows,就是文献[1], 里面出现第一diagram,跟着它的讲述,开始慢慢明白一点。在[1]最后部分作者提及到一份关于iptables非常详细的文献[2]。文献[5] 也画出packets是怎样走的。



其他比较有用的文献有[3,4]

References
[1] https://www.booleanworld.com/depth-guide-iptables-linux-firewall/
[2] https://www.frozentux.net/iptabl ... ables-tutorial.html
[3] https://unix.stackexchange.com/q ... hains-are-traversed
[4] https://www.digitalocean.com/com ... itecture#conclusion
[5] http://www.adminsehow.com/2011/09/iptables-packet-traverse-map/
附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊
收藏 分享

角色

Rank: 2
2#
發表於 2019-2-17 11:26 | 只看該作者
本帖最後由 角色 於 2019-2-26 22:49 編輯

Excerpted from [1], we got

I. IPTABLES TABLES and CHAINS
IPTables has the following 4 built-in tables.

1. Filter Table
Filter is default table for iptables. So, if you don’t define you own table, you’ll be using filter table. Iptables’s filter table has the following built-in chains.

INPUT chain – Incoming to firewall. For packets coming to the local server.
OUTPUT chain – Outgoing from firewall. For packets generated locally and going out of the local server.
FORWARD chain – Packet for another NIC on the local server. For packets routed through the local server.

2. NAT table
Iptable’s NAT table has the following built-in chains.

PREROUTING chain – Alters packets before routing. i.e Packet translation happens immediately after the packet comes to the system (and before routing). This helps to translate the destination ip address of the packets to something that matches the routing on the local server. This is used for DNAT (destination NAT).

POSTROUTING chain – Alters packets after routing. i.e Packet translation happens when the packets are leaving the system. This helps to translate the source ip address of the packets to something that might match the routing on the desintation server. This is used for
SNAT (source NAT).

OUTPUT chain – NAT for locally generated packets on the firewall.


3. Mangle table
Iptables’s Mangle table is for specialized packet alteration. This alters QOS bits in the TCP header. Mangle table has the following built-in chains.

PREROUTING chain
OUTPUT chain
FORWARD chain
INPUT chain
POSTROUTING chain

4. Raw table
Iptable’s Raw table is for configuration excemptions. Raw table has the following built-in chains.

PREROUTING chain
OUTPUT chain


References:
[1] https://www.thegeekstuff.com/2011/01/iptables-fundamentals/

TOP

角色

Rank: 2
3#
發表於 2019-2-17 11:27 | 只看該作者
备用帖子3

TOP

角色

Rank: 2
4#
發表於 2019-2-27 13:01 | 只看該作者
回看我之前提及过的iptables,firewalls等等,都是2013年的事,现在都2019年了!时间过得非常快又过了5年的事了。

TOP

返回列表