User Tools

Site Tools


doc:howto:netfilter

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:netfilter [2014/02/16 09:29]
lorema
doc:howto:netfilter [2015/01/13 21:29] (current)
cdeez [Explanation]
Line 14: Line 14:
 Please have a look at this most excellent scheme: **[[http://​upload.wikimedia.org/​wikipedia/​commons/​3/​37/​Netfilter-packet-flow.svg|Netfilter Packet Flow]]** by Jan Engelhardt to understand how a packet traverses netfilter. The green stuff is the domain of ''​iptables''​ and ''​ip6tables'',​ while the blue stuff is being handled by ''​ebtables''​. Please have a look at this most excellent scheme: **[[http://​upload.wikimedia.org/​wikipedia/​commons/​3/​37/​Netfilter-packet-flow.svg|Netfilter Packet Flow]]** by Jan Engelhardt to understand how a packet traverses netfilter. The green stuff is the domain of ''​iptables''​ and ''​ip6tables'',​ while the blue stuff is being handled by ''​ebtables''​.
  
-Do not make the mistake to place your LAN on the left side and the Internet on the right side in your mind. They are both on both sides! When a packet enters the Linux Kernel (= that is the ingress buffer of the [[wp>​Network interface controller|NIC]] /​[[wp>​Wireless network interface controller|WNIC]]) it always comes in on the left side, regardless on which [[doc:​networking:​network.interfaces|interface]] it arrives. It traverses the network stack and then netfilter and when it leaves, it always leaves at the right side. While the packet traverses netfilter, netfilter looks for rules that match that network packet. When a rules matches a packet, that rule is being applied to that particular packet. This means the packet is being send to the TARGET specified in that rule. As soon as the network packet ​is matching ​a rule, this rule is being applied to it, and the packet stops traversing that table of netfilter! There are few exceptions to this behavior, e.g. the TARGETs ''​-j LOG'',​ ''​-j CUSTOM_CHAIN''​ or ''​-j MARK''​.+Do not make the mistake to place your LAN on the left side and the Internet on the right side in your mind. They are both on both sides! When a packet enters the Linux Kernel (= that is the ingress buffer of the [[wp>​Network interface controller|NIC]] /​[[wp>​Wireless network interface controller|WNIC]]) it always comes in on the left side, regardless on which [[doc:​networking:​network.interfaces|interface]] it arrives. It traverses the network stack and then netfilter and when it leaves, it always leaves at the right side. While the packet traverses netfilter, netfilter looks for rules that match that network packet. When a rule matches a packet, that rule is being applied to that particular packet. This means the packet is being sent to the TARGET specified in that rule. As soon as the network packet ​matches ​a rule, this rule is applied to it, and the packet stops traversing that table of netfilter! There are few exceptions to this behavior, e.g. the TARGETs ''​-j LOG'',​ ''​-j CUSTOM_CHAIN''​ or ''​-j MARK''​.
  
 ===== Configuration ===== ===== Configuration =====
Line 164: Line 164:
 | iptables-mod-hashlimit ​       |   ​| ​  5554 | iptables extensions for hashlimit matching Includes: - libipt_hashlimit ​ | | iptables-mod-hashlimit ​       |   ​| ​  5554 | iptables extensions for hashlimit matching Includes: - libipt_hashlimit ​ |
 | iptables-mod-imq ​             |   ​| ​  2220 | iptables extension for IMQ support. Includes: - libipt_IMQ, use it's successor => ''​[[http://​www.linuxfoundation.org/​collaborate/​workgroups/​networking/​ifb|kmod-ifb]]''​ | | iptables-mod-imq ​             |   ​| ​  2220 | iptables extension for IMQ support. Includes: - libipt_IMQ, use it's successor => ''​[[http://​www.linuxfoundation.org/​collaborate/​workgroups/​networking/​ifb|kmod-ifb]]''​ |
-| iptables-mod-ipopt ​           |   ​| ​ 22438 | iptables extensions for matching/​changing IP packet options. Includes: - libipt_CLASSIFY - libipt_dscp/​DSCP - libipt_ecn/​ECN - libipt_length - libipt_mac - libipt_mark/​MARK - libipt_statistic - libipt_tcpmms ​- libipt_tos/​TOS - libipt_ttl/​TTL - libipt_unclean ​ |+| iptables-mod-ipopt ​           |   ​| ​ 22438 | iptables extensions for matching/​changing IP packet options. Includes: - libipt_CLASSIFY - libipt_dscp/​DSCP - libipt_ecn/​ECN - libipt_length - libipt_mac - libipt_mark/​MARK - libipt_statistic - libipt_tcpmss ​- libipt_tos/​TOS - libipt_ttl/​TTL - libipt_unclean ​ |
 | iptables-mod-ipp2p ​           |   ​| ​  3315 | IPP2P iptables extension ​ | | iptables-mod-ipp2p ​           |   ​| ​  3315 | IPP2P iptables extension ​ |
 | iptables-mod-iprange ​         |   ​| ​  3627 | iptables extensions for matching ip ranges. Includes: - libipt_iprange ​ | | iptables-mod-iprange ​         |   ​| ​  3627 | iptables extensions for matching ip ranges. Includes: - libipt_iprange ​ |
doc/howto/netfilter.1392539368.txt.bz2 · Last modified: 2014/02/16 09:29 by lorema