[network] netfilter
netfilter 是什么?
netfilter.org is home to the software of the packet filtering framework inside the Linux 2.4.x and later kernel series.
Software commonly associated with netfilter.org is iptables. Software inside this framework enables packet filtering, network address [and port] translation (NA[P]T) and other packet mangling.
It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems. netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack.
A registered callback function is then called back for every packet that traverses the respective hook within the network stack. iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (
iptables matches) and one connected action (iptables target). netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack) and the NAT subsystem together build the major parts of the framework.
https://www.netfilter.org/
HOOK HOWTO:
https://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO.html
阅读之前: Packet Filtering HOWTO: https://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html
摘要:
简单的原理,【重要】 https://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.html
Each rule specifies a set of conditions the packet must meet, and what to do if it meets them (a `target')
iptables的使用【tutorial】: https://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-7.html
For these you will be able to specify the new tests on the command line after the `-p' option, which will load the extension. For explicit new tests, use the `-m' option to load the extension,
after which the extended options will be available. The TCP extensions are automatically loaded if `-p tcp' is specified.
再读 NAT HOWTO: https://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html
怎么理解SNAT和DNAT的定义?
I call this SNAT, because you change the source address of the first packet.
I divide NAT into two different types: Source NAT (SNAT) and Destination NAT (DNAT). Source NAT is when you alter the source address of the first packet: i.e. you are changing where the connection is coming from. Source NAT is always done post-routing,
just before the packet goes out onto the wire. Masquerading is a specialized form of SNAT. Destination NAT is when you alter the destination address of the first packet: i.e. you are changing where the connection is going to.
Destination NAT is always done before routing, when the packet first comes off the wire. Port forwarding, load sharing, and transparent proxying are all forms of DNAT.
SNAT DNAT的定义是基于连接概念的。在有了连接概念的前提下。SNAT是指修改连接第一个包的源IP地址。DNAT是之修改连接第一个包的目的IP地址。而换一个角度,连接的第一个包都是从client发向server的。SNAT动作在包离开client局域网进入网线之前的那一刻触发(POST routing)。 DNAT在包到达目标网络进入server局域网之后的第一时间触发(PER routing)。 也就是说routing过程是NAT逻辑无关的。routing看见的所有地址都是本地地址。
见这一段,用来印证以上解释。https://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-9.html
另外,透明代理和DNAT神马关系? 透明代理要做DNAT。
三个NAT的应用场景:
1. Modern Connections To The Internet
2. Multiple Servers
3. Transparent Proxying
Masquerading & Redirection
Masquerading There is a specialized case of Source NAT called masquerading: it should only be used for dynamically-assigned IP addresses, such as standard dialups
(for static IP addresses, use SNAT above). Redirection There is a specialized case of Destination NAT called redirection: it is a simple convenience which is exactly equivalent to doing DNAT to the address
of the incoming interface. ## Send incoming port-80 web traffic to our squid (transparent) proxy # iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \ -j REDIRECT --to-port 3128
终于可以进入正题了。
重点来了: Netfilter Architecture: https://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html
五个HOOK点
NF_IP_PRE_ROUTING
NF_IP_FORWARD
NF_IP_POST_ROUTING
NF_IP_LOCAL_IN
NF_IP_LOCAL_OUT
HOOK的返回值:
NF_ACCEPT: continue traversal as normal. NF_DROP: drop the packet; don't continue traversal. NF_STOLEN: I've taken over the packet; don't continue traversal. NF_QUEUE: queue the packet (usually for userspace handling). NF_REPEAT: call this hook again.
tables 就是对挂在hook上面的函数的分类,分为 filter,nat,mangle等(更详细的table功能定义可以见 man tables 命令)
见:https://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html#ss3.2
见图:
--->PRE------>[ROUTE]--->FWD---------->POST------> Conntrack | Mangle ^ Mangle Mangle | Filter | NAT (Src) NAT (Dst) | | Conntrack (QDisc) | [ROUTE] v | IN Filter OUT Conntrack | Conntrack ^ Mangle | Mangle | NAT (Dst) v | Filter
netfitler的kernel入口:https://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-4.html
结合代码:linux.git/net/netfilter/ipvs/ip_vs_core.c
其他:
┬─[tong@T7:~/Src/thirdparty/linux.git]─[05:05:06 PM] ╰─>$ vim /etc/protocols ┬─[tong@T7:~/Src/thirdparty/linux.git]─[05:05:28 PM] ╰─>$ man protocols
如何写一个 netfilter的module: https://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-4.html#ss4.6
内容有点旧了,和最新的kernal代码对应不起来。
有助于理解forward:https://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-6.html
完。
自然会想到 firewalld: https://firewalld.org/