BBS水木清华站∶精华区

发信人: zixia (Do you zixia tonight), 信区: Linux
标  题: 6. How Packets Traverse The Filters
发信站: BBS 水木清华站 (Wed Oct 11 01:17:47 2000) WWW-POST

   Linux 2.4 Packet Filtering HOWTO: How Packets Traverse The Filters (p1 of
2)
   Next Previous Contents
Lin                                                                   here a
Ma
   mo----------------------------------------------------------------------o

6. How Packets Traverse The Filters

3.1The kernel starts with three lists of rules in the `filter' table; these
   lists are called firewall chains or just chains. The three chains are
   called INPUT, OUTPUT and FORWARD.

   This is very different from how the 2.0 and 2.2 kernels worked!

   For ASCII-art fans, the chains are arranged like so:

                           _____                                          e,
Incoming                 /     \         Outgoing
        -->[Routing ]--->|FORWARD|------->                               the
           [Decision]     \_____/        ^                                 e
                |                        |
on
                v                       ____
               ___                     /    \
              /   \                  |OUTPUT|
             |INPUT|                  \____/
              \___/                      ^
                |                        |
                 ----> Local Process ----

   The three circles represent the three chains mentioned above. When a
n
   packet reaches a circle in the diagram, that chain is examined to decide
   the fate of the packet. If the chain says to DROP the packet, it is
killed
   there, but if the chain says to ACCEPT the packet, it continues
traversing
   the diagram.

   A chain is a checklist of rules. Each rule says `if the packet header
   looks like this, then here's what to do with the packet'. If the rule
   doesn't match the packet, then the next rule in the chain is consulted.
   Finally, if there are no more rules to consult, then the kernel looks at
   the chain policy to decide what to do. In a security-conscious system,
   this policy usually tells the kernel to DROP the packet.

    1. When a packet comes in (say, through the Ethernet card) the kernel
           first looks at the destination of the packet: this is called
Lin    `routing'.                                                     here a
M
   m2. If it's destined for this box, the packet passes downwards in the   o
       diagram, to the INPUT chain. If it passes this, any processes waiting
       for that packet will receive it.
    3. Otherwise, if the kernel does not have forwarding enabled, or it
3.1    doesn't know how to forward the packet, the packet is dropped. If
       forwarding is enabled, and the packet is destined for another network
       interface (if you have another one), then the packet goes rightwards
       on our diagram to the FORWARD chain. If it is ACCEPTed, it will be
       sent out.
    4. Finally, a program running on the box can send network packets. These
       packets pass through the OUTPUT chain immediately: if it says ACCEPT,
       then the packet continues out to whatever interface it is destined
       for.                                                               e,

     ----------------------------------------------------------------------e
                                                                           e
   Next Previous Contents                                                  on
--
)))))))))))))))))))))))))))))))))))))))))))))))))))
        ((((((((((((生命的欢喜可以再影印一张吗?((((((((((((
        ))))))))))))老去的热情可以再拉皮整形吗?))))))))))))
        ((((((((((((病中的真理可以再传真校对吗?((((((((((((
        ))))))))))))死掉的爱情可以再输入键出吗?))))))))))))
        (((((((((((((((((((((((((((((((((((((((((((((((((((

※ 来源:·BBS 水木清华站 smth.org·[FROM: 202.112.45.49]