From 3b9623a36ed6fb3eea204a478b5a8a2e64f8091d Mon Sep 17 00:00:00 2001 From: test2 Date: Wed, 13 Nov 2019 01:21:14 +0200 Subject: [PATCH] iptables --- sec/ex-3a_iptables-flow-chart.adoc | 25 +++---------------------- 1 file changed, 3 insertions(+), 22 deletions(-) diff --git a/sec/ex-3a_iptables-flow-chart.adoc b/sec/ex-3a_iptables-flow-chart.adoc index d7aa6d7..d23192f 100644 --- a/sec/ex-3a_iptables-flow-chart.adoc +++ b/sec/ex-3a_iptables-flow-chart.adoc @@ -33,7 +33,7 @@ Then the packet starts to go through a series of steps in the kernel, before it |1| | | On the wire (e.g., Internet) |2| | | Comes in on the interface (e.g., eth0) |3| raw| PREROUTING| This chain is used to handle packets before the connection tracking takes place. It can be used to set a specific connection not to be handled by the connection tracking code for example. -|4| | | This is when the connection tracking code takes place as discussed in the The state machine chapter. +|4| | | This is when the connection tracking code takes place |5| mangle| PREROUTING| This chain is normally used for mangling packets, i.e., changing TOS and so on. |6| nat| PREROUTING| This chain is used for DNAT mainly. Avoid filtering in this chain since it will be bypassed in certain cases. |7| | | Routing decision, i.e., is the packet destined for our local host or to be forwarded and where. @@ -51,7 +51,7 @@ Then the packet starts to go through a series of steps in the kernel, before it |1| | | Local process/application (i.e., server/client program) |2| | | Routing decision. What source address to use, what outgoing interface to use, and other necessary information that needs to be gathered. |3| raw| OUTPUT| This is where you do work before the connection tracking has taken place for locally generated packets. You can mark connections so that they will not be tracked for example. -|4| | | This is where the connection tracking takes place for locally generated packets, for example state changes et cetera. This is discussed in more detail in the The state machine chapter. +|4| | | This is where the connection tracking takes place for locally generated packets, for example state changes et cetera. |5| mangle| OUTPUT| This is where we mangle packets, it is suggested that you do not filter in this chain since it can have side effects. |6| nat| OUTPUT| This chain can be used to NAT outgoing packets from the firewall itself. |7| | | Routing decision, since the previous mangle and nat changes may have changed how the packet should be routed. @@ -74,7 +74,7 @@ In this example, we're assuming that the packet is destined for another host on |1| | | On the wire (i.e., Internet) |2| | | Comes in on the interface (i.e., eth0) |3| raw| PREROUTING| Here you can set a connection to not be handled by the connection tracking system. -|4| | | This is where the non-locally generated connection tracking takes place, and is also discussed more in detail in the The state machine chapter. +|4| | | This is where the non-locally generated connection tracking takes place. |5| mangle| PREROUTING| This chain is normally used for mangling packets, i.e., changing TOS and so on. |6| nat| PREROUTING| This chain is used for DNAT mainly. SNAT is done further on. Avoid filtering in this chain since it will be bypassed in certain cases. |7| | | Routing decision, i.e., is the packet destined for our local host or to be forwarded and where. @@ -87,28 +87,9 @@ In this example, we're assuming that the packet is destined for another host on |=== -[appendix] -== How to use iptables -Shorewall is not the easiest to use of the available iptables configuration tools but I believe that it is the most flexible and powerful. - -It can handle complex and fast changing network environments. - -It needs multiple configuration files, even for simple setups. - -Suitable for powerusers! - Most likely there are a lot of these among our Students :-) - -Shorewall is very popular! - - - - - -https://wiki.archlinux.org[Origin] - -