Chinaunix首页 | 论坛 | 博客

胖头鱼的Linux学习笔记

首页 |  博文目录 |  关于我

pangty

  • 博客访问: 58377
  • 博文数量: 16
  • 博客积分: 930
  • 博客等级: 准尉
  • 技术积分: 215
  • 用 户 组: 普通用户
  • 注册时间: 2006-11-16 16:57
文章分类

全部博文(16)

文章存档

2007年(13)

2006年(3)

我的朋友
最近访客
推荐博文
相关博文
Kernel Packet Traveling Diagram

分类: 网络与安全

2006-11-22 13:47:27

理解数据包如何穿越Linux内核将有助于学习netfilter/iptables。netfilter是Linux内核自2.4版开始采用的实现防火墙功能的机制,这个架构可以完成封包过滤(packet filtering)、网络地址转换NAT(network address translation)以及其它对数据包(packet)的操作。可作为实用手册常备案头。 
                            Network
                    -----------+-----------
                               |              
                     +---------+---------+
                     |     [IPTABLES]    |
                     |    [PREROUTING]   |
                     | +-------+-------+ |
                     | |   conntrack   | |
                     | +-------+-------+ |
                     | |    mangle     | | <- MARK WRITE  
                     | +-------+-------+ |
                     | |      IMQ      | |
                     | +-------+-------+ |
                     | |      nat      | | <- DEST REWRITE
                     | +-------+-------+ |     DNAT or REDIRECT or DE-MASQUERADE
                     +---------+---------+
                               |
                       +-------+-------+
                       |      QOS      |
                       |    INGRESS    |
                       +-------+-------+
                               |
         packet is for +-------+-------+ packet is for
          this machine |     INPUT     | another address
        +--------------+    ROUTING    +-------------------+
        |              |    + PDBB     |                   |
        |              +---------------+                   |
+-------+-------+                                          |
|  [IPTABLES]   |                                          |
|    [INPUT]    |                                          |
| +-----+-----+ |                                          |
| |   mangle  | |                                          |
| +-----+-----+ |                                          |
| |   filter  | |                                          |
| +-----+-----+ |                                          |
+-------+-------+                                          |
        |                                                  |
+-------+-------+                                          |
|     Local     |                                  +-------+-------+
|    Process    |                                  |   [IPTABLES]  |
+-------+-------+                                  |   [FORWARD]   |
        |                                          | +-----+-----+ |
+-------+-------+                                  | |  mangle   | | <- MARK WRITE
|    OUTPUT     |                                  | +-----+-----+ |
|    ROUTING    |                                  | |  filter   | |
+-------+-------+                                  | +-----+-----+ |
        |                                          +-------+-------+
+-------+-------+                                          |
|   [IPTABLES]  |                                          |
|    [OUTPUT]   |                                          |
| +-----------+ |                                          |
| | conntrack | |                                          |
| +-----+-----+ |                                          |
| |   mangle  | | <- MARK WRITE                            |
| +-----+-----+ |                                          |
| |    nat    | | <-DEST REWRITE                           |
| +-----+-----+ |     DNAT or REDIRECT                     |
| |   filter  | |                                          |
| +-----+-----+ |                                          |
+-------+-------+                                          |
        |                                                  |
        +----------------------+---------------------------+
                               |
                     +---------+---------+
                     |     [IPTABLES]    |
                     |   [POSTROUTING]   |
                     | +-------+-------+ |
                     | |    mangle     | | <- MARK WRITE  
                     | +-------+-------+ |
                     | |      nat      | | <- SOURCE REWRITE
                     | +-------+-------+ |      SNAT or MASQUERADE
                     | |      IMQ      | |
                     | +-------+-------+ |
                     +---------+---------+
                               |
                        +------+------+
                        |     QOS     |
                        |    EGRESS   |
                        +------+------+
                               |
                    -----------+-----------
                            Network
  • [Name of firewall chain]
  • Controlled by iptables (in blue)
  • Controlled by ip/tc (in red)
原图来自:http://www.docum.org/docum.org/kptd,本站引用时做了删改。
阅读(649) | 评论(0) | 转发(0) |
0

上一篇:没有了

下一篇:iproute之ip命令手册

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6