226 lines
4.6 KiB
HTML
226 lines
4.6 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Three Ways We Can Do Filtering</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"><LINK
|
|
REL="HOME"
|
|
TITLE="Linux Network Administrators Guide"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="TCP/IP Firewall"
|
|
HREF="x-087-2-firewall.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Setting Up Linux for Firewalling"
|
|
HREF="x-087-2-firewall.howto.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Original IP Firewall (2.0 Kernels)"
|
|
HREF="x-087-2-firewall.original.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Linux Network Administrators Guide</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x-087-2-firewall.howto.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 9. TCP/IP Firewall</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x-087-2-firewall.original.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="X-087-2-FIREWALL.FILTERINGMETHODS"
|
|
>9.5. Three Ways We Can Do Filtering</A
|
|
></H1
|
|
><P
|
|
>Consider how a Unix machine, or in fact any machine capable of IP routing,
|
|
processes IP datagrams. The basic steps, shown in <A
|
|
HREF="x-087-2-firewall.filteringmethods.html#X-087-2-FIREWALL.METHODS.GRAPHIC"
|
|
>Figure 9-2</A
|
|
> are:</P
|
|
><DIV
|
|
CLASS="FIGURE"
|
|
><A
|
|
NAME="X-087-2-FIREWALL.METHODS.GRAPHIC"
|
|
></A
|
|
><P
|
|
><B
|
|
>Figure 9-2. The stages of IP datagram processing</B
|
|
></P
|
|
><P
|
|
><IMG
|
|
SRC="lag2_0902.jpg"></P
|
|
></DIV
|
|
><P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
>The IP datagram is received. (1)</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>The incoming IP datagram is examined to determine if it is destined for a
|
|
process on this machine.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>If the datagram is for this machine, it is processed locally. (2)</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>If it is not destined for this machine, a search is made of the routing table
|
|
for an appropriate route and the datagram is forwarded to the appropriate
|
|
interface or dropped if no route can be found. (3)</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Datagrams from local processes are sent to the routing software for forwarding
|
|
to the appropriate interface. (4)</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>The outgoing IP datagram is examined to determine if there is a valid route
|
|
for it to take, if not, it is dropped.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>The IP datagram is transmitted. (5)</P
|
|
></LI
|
|
></UL
|
|
><P
|
|
>In our diagram, the flow 1→3→5 represents our machine
|
|
routing data between a host on our Ethernet network to a host
|
|
reachable via our PPP link. The flows 1→2 and 4→5 represent
|
|
the data input and output flows of a network program running on our
|
|
local host. The flow 4→3→2 would represent data flow via a
|
|
loopback connection. Naturally data flows both into and out of network
|
|
devices. The question marks on the diagram represent the points where
|
|
the IP layer makes routing decisions.</P
|
|
><P
|
|
>The Linux kernel IP firewall is capable of applying filtering at various
|
|
stages in this process. That is, you can filter the IP datagrams that come in
|
|
to your machine, filter those datagrams being forwarded across your
|
|
machine, and filter those datagrams that are ready to be transmitted.</P
|
|
><P
|
|
>In <B
|
|
CLASS="COMMAND"
|
|
>ipfwadm</B
|
|
> and <B
|
|
CLASS="COMMAND"
|
|
>ipchains</B
|
|
>, an
|
|
Input rule applies to flow 1 on the diagram, a Forwarding rule to flow
|
|
3, and an Output rule to flow 5. We'll see when we discuss
|
|
<I
|
|
CLASS="EMPHASIS"
|
|
>netfilter</I
|
|
> later that the points of interception
|
|
have changed so that an Input rule is applied at flow 2, and an
|
|
Output rule is applied at flow 4. This has important implications for
|
|
how you structure your rulesets, but the general principle holds true
|
|
for all versions of Linux firewalling.</P
|
|
><P
|
|
>This may seem unnecessarily complicated at first, but it provides flexibility
|
|
that allows some very sophisticated and powerful configurations to be built.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-firewall.howto.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-firewall.original.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Setting Up Linux for Firewalling</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-firewall.html"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Original IP Firewall (2.0 Kernels)</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |