Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Security basics: simple analytical framework for Linux system firewall     - Java memory analysis tool uses detailed MAT (Programming)

- JavaScript, some conclusions about the implicit conversion (Programming)

- Depth understanding of C language (Programming)

- Bash Automated Customization Linux belongs to its own CentOS system (Linux)

- Linux Mint brightness adjustment --xrandr command learning (Linux)

- pureftpd basis: Install, configure, implement, anonymous logon (Linux)

- When a software RAID data recovery and reconstruction of how failure (Linux)

- MySQL development common query summary (Database)

- Android realize RippleEffect water (Programming)

- FileZilla FTP && TLS connection settings of (Linux)

- C ++ thread creates transmission parameters are changed (Programming)

- Port Telnet command to detect the remote host is turned on (Linux)

- PHP loop reference caused strange problems (Programming)

- Hands to teach you to solve Ubuntu error message (Linux)

- Linux RAID Set RAID 10 or 0 + 1 (Linux)

- Getting Started with Linux: Learn how to upgrade Docker in Ubuntu (Server)

- Linux kernel source code analysis (Linux)

- Crawl use Wireshark packet on remote Linux (Linux)

- Linux use additional rights (Linux)

- Unsafe reboot start (Linux)

 
         
  Security basics: simple analytical framework for Linux system firewall
     
  Add Date : 2017-08-31      
         
         
         
  Netfilter Linux system provides an abstract, universal framework, the framework defines a sub-function implementation is packet filtering subsystem, the framework includes the following five parts:

Several key points 1. For each network protocol (IPv4, IPv6, etc.) define a hook function (IPv4 defines 5 hook function), the hook function in the data packets flow through the protocol stack is called. In these points, the protocol stack packet and the hook function will label as a parameter called Netfilter framework.

2. Kernel module can be any of a plurality of hooks for each protocol or to register, to achieve articulated, so that when a packet is passed to the Netfilter framework, the kernel module can detect whether any of the agreements and the hook function It has been registered. If registered, the callback function used to sign the module, so that these modules have the opportunity to check (may be modified) the packet, discards the packet and the packet instructions Netfilter incoming user space queue .

3 Those packets are queued to be delivered to the user space of asynchronous processing. A user process can check the data packets, modify packet can even rearrange the packet by leaving the kernel function with a hook injected into the kernel.

4. Any IP layer to be discarded IP packets must be checked before actually abandoned. For example, allows the module to check the IP-Spoofed packets (to be routed abandoned).

HOOK point position five 5.IP layer is as follows:

(1) NF_IP_PRE_ROUTING: just enter the network layer data packets through this point (End version number, checksum and other testing has just), the source address translation at this point; IP_Input.c in IP_Rcv call;

(2) NF_IP_LOCAL_IN: After routing lookup, transfer to the machine through this check point, INPUT packet filtering at this point, IP_local_deliver call;

(3) NF_IP_FORWARD: To forward the packet through this checkpoint, FORWORD packet filtering at this point;

(4) NF_IP_POST_ROUTING: all soon will have to go through a packet network device detected by this point, the purpose of address translation features built-in (including the address mask) in this point;

(5) NF_IP_LOCAL_OUT: package native process sent through this checkpoint, OUTPUT packet filtering at this point.

These points are already well defined in the kernel, kernel modules can be registered in the processing of these HOOK points can be specified using nf_register_hook function. After these hook function is called data packets, so the module can modify the data packets, to the Netfilter return the following values:

 NF_ACCEPT continue normal transmission of data packets
NF_DROP discard the packet, no transmission
NF_STOLEN module takes over the data packets, do not continue to transmit the data packets
NF_QUEUE the datagram queue (typically used for data packets to userspace processes processed)
NF_REPEAT again call the hook function
Based on Netfilter, packet selection system called IPtables is applied in Linux2.4 kernel, in fact, it is the successor tool IPchains, but there is more scalable. Kernel modules can register a new rule table (table), and requested the rules specified packet flow through the table. Such data packets selected to implement packet filtering (filter table), Network Address Translation (Nat form) and packet processing (Mangle table). These three data packets processing Linux2.4 kernel are based on Netfilter hook functions and IP tables. They are separate modules are independent from each other. They are perfectly integrated into the framework provided by the Netfileter in.

Packet filtering

Filter table does not modify the data packets, but only to filter data packets. IPtables IPchains than one aspect is that it is more compact and fast. It is through the hook function NF_IP_LOCAL_IN, NF_IP_FORWARD and NF_IP_LOCAL_OUT access Netfilter framework. So for any of a number of packets is only one place to filter it. This relatively IPchains is a huge improvement, because in IPchains forwarded a datagram will traverse three chains.

NAT

NAT table monitor three Netfilter hook function: NF_IP_PRE_ROUTING, NF_IP_POST_ROUTING and NF_IP_LOCAL_OUT. NF_IP_PRE_ROUTING realize the need to forward the datagram source address and destination address NAT NF_IP_POST_ROUTING you need to forward packets for address translation. For local data packet destination address conversion by NF_IP_LOCAL_OUT to achieve. NAT table is different from the filter table, because only the new connection will traverse the first data packet form, while subsequent data packets will be the same conversion process based on the results of the first data packet. NAT table is used in the source NAT, the purpose NAT, masquerading (source NAT it is a special case) and transparent proxy (which is the object of a special case of NAT).

Datagram processing (Packet Mangling)

Mangle tables in NF_IP_PRE_ROUTING NF_IP_LOCAL_OUT hook and registered. Using the mangle table, you can modify the data packets or data packets to attach some of the band data. TOS mangle table support modifying the current position and set the skb nfmard field.

Source code analysis

If we want to add their own code, they use nf_register_hook function, its function prototype is:

 int nf_register_hook (struct nf_hook_ops * reg)
struct nf_hook_ops
{
struct list_head list;
/ * User fills in from here down. * /
nf_hookfn * hook;
int pf;
int hooknum;
/ * Hooks are ordered in ascending priority. * /
int priority;
};
Our job is to generate an instance nf_hook_ops structure of a struct, and use nf_register_hook to HOOK on. Which list items that we always initialized to {NULL, NULL}; Because usually the IP layer, pf is always PF_INET; hooknum HOOK point is our choice; a HOOK points may hang a plurality of processing functions, Backwards, they to look at priorities, ie priority is specified. Netfilter_IPv4.h with an enumerated type specifies the priority of the built-in handler:

 enum nf_IP_hook_priorities {
NF_IP_PRI_FIRST = INT_MIN,
NF_IP_PRI_CONNTRACK = -200,
NF_IP_PRI_MANGLE = -150,
NF_IP_PRI_NAT_DST = -100,
NF_IP_PRI_FILTER = 0,
NF_IP_PRI_NAT_SRC = 100,
NF_IP_PRI_LAST = INT_MAX,
};
Hook is provided handler, which is our main work, the prototype is:

 unsigned int nf_hookfn (unsigned int hooknum,
struct sk_buff ** skb,
const struct net_device * in,
const struct net_device * out,
int (* okfn) (struct sk_buff *));
It will be five parameters NFHOOK pass in the macro. nf_register_hook find the appropriate location according to reg registered protocol cluster type and priority in nf_hooks and inserted into this table. _hooks [NPROTO] [NF_MAX_HOOKS] in Netfilter initialization (Netfilter_init / Netfilter.c, and it calls upon sock_init) has initially an empty table.

For example IPtable during initialization (init / IPtable_filter.c) call nf_register_hook registered his hook function.

 static struct nf_hook_ops IPt_ops []
= {{{NULL, NULL}, IPt_hook, PF_INET, NF_IP_LOCAL_IN, NF_IP_PRI_FILTER},
{{NULL, NULL}, IPt_hook, PF_INET, NF_IP_FORWARD, NF_IP_PRI_FILTER},
{{NULL, NULL}, IPt_local_out_hook, PF_INET, NF_IP_LOCAL_OUT,
NF_IP_PRI_FILTER}
};

mangle register its own hook function init / IPtable_mangle.c in.

 static struct nf_hook_ops IPt_ops []
= {{{NULL, NULL}, IPt_hook, PF_INET, NF_IP_PRE_ROUTING, NF_IP_PRI_MANGLE},
{{NULL, NULL}, IPt_local_out_hook, PF_INET, NF_IP_LOCAL_OUT,
{NF_IP_PRI_MANGLE}
};
NAT register its own hook function init / IP_nat_standalone.c in

 / * Before packet filtering, change the destination address * /
static struct nf_hook_ops IP_nat_in_ops
     
         
         
         
  More:      
 
- iptraf: A Practical TCP / UDP network monitoring tools (Linux)
- To use yum install VLC under CentOS (Linux)
- Linux Operating System Security Management Experience (Linux)
- Some problems and countermeasures Linux system calls exist (Linux)
- Approach the next Linux shared interrupts (Linux)
- How to manage KVM virtual environments with command-line tools in Linux (Server)
- The Definitive Guide to Linux NAT network connection (Linux)
- Summary Linux bond of multi-interface load balancing (Linux)
- OpenResty load balancing MySQL (Database)
- TOAST function in PostgreSQL (Database)
- VMware virtual machines to install virt-manager unable to connect to libvirt's approach (Linux)
- CentOS 5.5 kernel upgrade installation iftop (Linux)
- curl Usage: Being the first site header and status codes (Server)
- About the replication of JavaScript (Programming)
- CentOS 6.x Basic System Optimization after installation (Linux)
- Android Custom View step (Programming)
- Linux / Unix desktops interesting: Christmas tree on the terminal (Linux)
- Simple Calendar C language (Programming)
- Iscsi package is installed on RHEL 6.3 x86-64 systems (Linux)
- CentOS and RHEL to install IPython 0.11 (Linux)
     
           
     
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.