Linux Network Administrators Guide
Prev Chapter 9. TCP/IP Firewall Next
Consider how a Unix machine, or in fact any machine capable of IP routing, processes IP datagrams. The basic steps, shown in Figure 9-2 are:
Figure 9-2. The stages of IP datagram processing
In our diagram, the flow 1?3?5 represents our machine routing data between a host on our Ethernet network to a host reachable via our PPP link. The flows 1?2 and 4?5 represent the data input and output flows of a network program running on our local host. The flow 4?3?2 would represent data flow via a loopback connection. Naturally data flows both into and out of network devices. The question marks on the diagram represent the points where the IP layer makes routing decisions.
The Linux kernel IP firewall is capable of applying filtering at various stages in this process. That is, you can filter the IP datagrams that come in to your machine, filter those datagrams being forwarded across your machine, and filter those datagrams that are ready to be transmitted.
In ipfwadm and ipchains , an Input rule applies to flow 1 on the diagram, a Forwarding rule to flow 3, and an Output rule to flow 5. We'll see when we discuss netfilter later that the points of interception have changed so that an Input rule is applied at flow 2, and an Output rule is applied at flow 4. This has important implications for how you structure your rulesets, but the general principle holds true for all versions of Linux firewalling.
This may seem unnecessarily complicated at first, but it provides flexibility that allows some very sophisticated and powerful configurations to be built.
Prev Home Next
Setting Up Linux for Firewalling Up Original IP Firewall (2.0 Kernels)
* License
* Linux Network Administrators Guide Guide Index
Prev Chapter 9. TCP/IP Firewall Next
9.5. Three Ways We Can Do Filtering
Consider how a Unix machine, or in fact any machine capable of IP routing, processes IP datagrams. The basic steps, shown in Figure 9-2 are:
Figure 9-2. The stages of IP datagram processing
- The IP datagram is received. (1)
- The incoming IP datagram is examined to determine if it is destined for a process on this machine.
- If the datagram is for this machine, it is processed locally. (2)
- If it is not destined for this machine, a search is made of the routing table for an appropriate route and the datagram is forwarded to the appropriate interface or dropped if no route can be found. (3)
- Datagrams from local processes are sent to the routing software for forwarding to the appropriate interface. (4)
- The outgoing IP datagram is examined to determine if there is a valid route for it to take, if not, it is dropped.
- The IP datagram is transmitted. (5)
In our diagram, the flow 1?3?5 represents our machine routing data between a host on our Ethernet network to a host reachable via our PPP link. The flows 1?2 and 4?5 represent the data input and output flows of a network program running on our local host. The flow 4?3?2 would represent data flow via a loopback connection. Naturally data flows both into and out of network devices. The question marks on the diagram represent the points where the IP layer makes routing decisions.
The Linux kernel IP firewall is capable of applying filtering at various stages in this process. That is, you can filter the IP datagrams that come in to your machine, filter those datagrams being forwarded across your machine, and filter those datagrams that are ready to be transmitted.
In ipfwadm and ipchains , an Input rule applies to flow 1 on the diagram, a Forwarding rule to flow 3, and an Output rule to flow 5. We'll see when we discuss netfilter later that the points of interception have changed so that an Input rule is applied at flow 2, and an Output rule is applied at flow 4. This has important implications for how you structure your rulesets, but the general principle holds true for all versions of Linux firewalling.
This may seem unnecessarily complicated at first, but it provides flexibility that allows some very sophisticated and powerful configurations to be built.
Prev Home Next
Setting Up Linux for Firewalling Up Original IP Firewall (2.0 Kernels)
* License
* Linux Network Administrators Guide Guide Index
SHARE
