• [network] netfilter


    netfilter 是什么?

    netfilter.org is home to the software of the packet filtering framework inside the Linux 2.4.x and later kernel series. 
    Software commonly associated with netfilter.org is iptables. Software inside this framework enables packet filtering, network address [and port] translation (NA[P]T) and other packet mangling.
    It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems. netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack.
    A registered callback function is then called back for every packet that traverses the respective hook within the network stack. iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (
    iptables matches) and one connected action (iptables target). netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack) and the NAT subsystem together build the major parts of the framework.

    https://www.netfilter.org/

    HOOK HOWTO:

    https://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO.html

      阅读之前: Packet Filtering HOWTO: https://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html

        摘要:

        简单的原理,【重要】 https://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.html

    Each rule specifies a set of conditions the packet must meet, and what to do if it meets them (a `target')

        iptables的使用【tutorial】: https://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-7.html

    For these you will be able to specify the new tests on the command line after the `-p' option, which will load the extension. For explicit new tests, use the `-m' option to load the extension, 
    after which the extended options will be available. The TCP extensions are automatically loaded
    if `-p tcp' is specified.

      再读 NAT HOWTO: https://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html

      怎么理解SNAT和DNAT的定义?

     I call this SNAT, because you change the source address of the first packet.

      

    I divide NAT into two different types: Source NAT (SNAT) and Destination NAT (DNAT).
    
    Source NAT is when you alter the source address of the first packet: i.e. you are changing where the connection is coming from. Source NAT is always done post-routing, 
    just before the packet goes out onto the wire. Masquerading is a specialized form of SNAT. Destination NAT is when you alter the destination address of the first packet: i.e. you are changing where the connection is going to.
    Destination NAT is always done before routing, when the packet first comes off the wire. Port forwarding, load sharing, and transparent proxying are all forms of DNAT.

      SNAT DNAT的定义是基于连接概念的。在有了连接概念的前提下。SNAT是指修改连接第一个包的源IP地址。DNAT是之修改连接第一个包的目的IP地址。而换一个角度,连接的第一个包都是从client发向server的。SNAT动作在包离开client局域网进入网线之前的那一刻触发(POST routing)。 DNAT在包到达目标网络进入server局域网之后的第一时间触发(PER routing)。 也就是说routing过程是NAT逻辑无关的。routing看见的所有地址都是本地地址。

      见这一段,用来印证以上解释。https://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-9.html

      另外,透明代理和DNAT神马关系?  透明代理要做DNAT。

      三个NAT的应用场景: 

    1. Modern Connections To The Internet
    2. Multiple Servers
    3. Transparent Proxying

      Masquerading & Redirection

    Masquerading
    There is a specialized case of Source NAT called masquerading: it should only be used for dynamically-assigned IP addresses, such as standard dialups 
    (for static IP addresses, use SNAT above). Redirection There is a specialized case of Destination NAT called redirection: it is a simple convenience which is exactly equivalent to doing DNAT to the address
    of the incoming interface. ## Send incoming port-80 web traffic to our squid (transparent) proxy # iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

      终于可以进入正题了。

      重点来了: Netfilter Architecture:  https://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html 

    五个HOOK点

    NF_IP_PRE_ROUTING
    NF_IP_FORWARD
    NF_IP_POST_ROUTING
    NF_IP_LOCAL_IN
    NF_IP_LOCAL_OUT

    HOOK的返回值:

    NF_ACCEPT: continue traversal as normal.
    NF_DROP: drop the packet; don't continue traversal.
    NF_STOLEN: I've taken over the packet; don't continue traversal.
    NF_QUEUE: queue the packet (usually for userspace handling).
    NF_REPEAT: call this hook again.

      tables 就是对挂在hook上面的函数的分类,分为 filter,nat,mangle等(更详细的table功能定义可以见 man tables 命令)

      见:https://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html#ss3.2

      见图:

       --->PRE------>[ROUTE]--->FWD---------->POST------>
           Conntrack    |       Mangle   ^    Mangle
           Mangle       |       Filter   |    NAT (Src)
           NAT (Dst)    |                |    Conntrack
           (QDisc)      |             [ROUTE]
                        v                |
                        IN Filter       OUT Conntrack
                        |  Conntrack     ^  Mangle
                        |  Mangle        |  NAT (Dst)
                        v                |  Filter

      netfitler的kernel入口:https://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-4.html

      结合代码:linux.git/net/netfilter/ipvs/ip_vs_core.c

      其他:

      

    ┬─[tong@T7:~/Src/thirdparty/linux.git]─[05:05:06 PM]
    ╰─>$ vim /etc/protocols 
    ┬─[tong@T7:~/Src/thirdparty/linux.git]─[05:05:28 PM]
    ╰─>$ man protocols

      如何写一个 netfilter的module: https://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-4.html#ss4.6

      内容有点旧了,和最新的kernal代码对应不起来。

      有助于理解forward:https://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-6.html

    完。

    自然会想到 firewalld: https://firewalld.org/

  • 相关阅读:
    算法题:单调递增的数字
    算法题:搜索旋转排序数组
    算法题:K个一组翻转链表
    django错误
    virtualenvwrapper出错
    谷歌浏览器css样式不显示问题
    Python爬取豆瓣电子书信息
    flask secret key的作用
    【Hibernate】--实体状体与主键生成策略
    【Struts2+Spring3+Hibernate3】SSH框架整合实现CRUD_1.3
  • 原文地址:https://www.cnblogs.com/hugetong/p/9245005.html
Copyright © 2020-2023  润新知