Help with Linux iptables details (including some terms)

This is a discussion on Help with Linux iptables details (including some terms) within the Linux Networking forums, part of the Linux Forums category; Hi, I'm in need of some help on details of Linux's packet filtering. I've actually read the ...


Go Back   Usenet Forums > Linux Forums > Linux Networking

Reload this Page Help with Linux iptables details (including some terms)

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 06-10-2004
ctt
 
Posts: n/a
Default Help with Linux iptables details (including some terms)
Hi,

I'm in need of some help on details of Linux's packet filtering.
I've actually read the iptables command's man pages and a few
other docs from www.netfilter.org.

Also, I've just started using Linux a few weeks ago (before this,
my last used was in 1993 for a few months) so I may get some terms
wrong. Please correct me so that I can be less confusing in the
future.

I understand that some of my questions can be answered by build
the kernel or reading some source code. But I'm hoping to get
answers quicker here.

Here're my questions: (and thank you very much)

1. "iptables" is the name of a command that a user run to modify
Linux's built-in packet filters. What is the name of the Linux's
built-in filters? (I've been calling it iptables, but I think I
may be wrong.)

2. Does the Linux's built-in packet filters use its NetFilter
facility?

3. If Linux's built-in packet filters use NetFilter, what is its
priority (what value is set for field "priority" in "struct
nf_hook_ops") ?

4. It Linux's built-in packet filters do not use NetFilter, then
is it called before NetFilter or after? If this is the case,
could you help me out by providing a function name or something?
(I casually looked into the kernel's networking code and only
see NetFilter being called and not built-in packet filtering.)

5. While configuring to build a kernel (make menuconfig), I see
the option of "Network packet filtering (replaces ipchains)" .
Does this configure the built-in filter or NetFilter ?

6. If #5 configures NetFilter, then why is "replaces ipchains"
in the heading? I thought the new bulit-in packet filter replaces
ipchains ?

Thanks,
Ching Tai
Reply With Quote
  #2 (permalink)  
Old 06-12-2004
Antoine EMERIT
 
Posts: n/a
Default Re: Help with Linux iptables details (including some terms)
j1133s@yahoo.com (ctt) wrote news:883eb11c.0406101321.3219e950
@posting.google.com:

> 1. "iptables" is the name of a command that a user run to modify
> Linux's built-in packet filters. What is the name of the Linux's
> built-in filters? (I've been calling it iptables, but I think I
> may be wrong.)
>
> 2. Does the Linux's built-in packet filters use its NetFilter
> facility?

iptables is a user-land command to create/modify/delete netfilter rules.

netfilter is the (now) official packet filtering system of linux.

But netfilter is not directly developped in the linux main kernel source,
it's a separate project available at http://www.netfilter.org.

The Linux kernel include some hook function that call the netfilter code
at various point in the network stack.

And so, there is on "default filters" in the linux kernel.

But for usability (compilation, ...) reason, the netfilter code is
included in any regular linux source package.

You may however get the last netfilter code (kernel hook, iptables
command, and iptables modules) from the netfilter project, and recompile
a kernel with this updated code.

> 3. If Linux's built-in packet filters use NetFilter, what is its
> priority (what value is set for field "priority" in "struct
> nf_hook_ops") ?

Don't know.

> 4. It Linux's built-in packet filters do not use NetFilter, then
> is it called before NetFilter or after? If this is the case,
> could you help me out by providing a function name or something?
> (I casually looked into the kernel's networking code and only
> see NetFilter being called and not built-in packet filtering.)

See up.

> 5. While configuring to build a kernel (make menuconfig), I see
> the option of "Network packet filtering (replaces ipchains)" .
> Does this configure the built-in filter or NetFilter ?

You may choose to use ipchains, the old filtering system or netfilter,
the last one.

ipchains was more "fusioned" in the kernel source than netfilter.

Note: there is an ipchains command that translate ipchains rules to
iptables rules.

> 6. If #5 configures NetFilter, then why is "replaces ipchains"
> in the heading? I thought the new bulit-in packet filter replaces
> ipchains ?

See up.

> Thanks,
> Ching Tai
>

Reply With Quote
  #3 (permalink)  
Old 06-12-2004
P Gentry
 
Posts: n/a
Default Re: Help with Linux iptables details (including some terms)
j1133s@yahoo.com (ctt) wrote in message news:<883eb11c.0406101321.3219e950@posting.google. com>...
> Hi,
>
> I'm in need of some help on details of Linux's packet filtering.
> I've actually read the iptables command's man pages and a few
> other docs from www.netfilter.org.
>
> Also, I've just started using Linux a few weeks ago (before this,
> my last used was in 1993 for a few months) so I may get some terms
> wrong. Please correct me so that I can be less confusing in the
> future.
>
> I understand that some of my questions can be answered by build
> the kernel or reading some source code. But I'm hoping to get
> answers quicker here.
>
> Here're my questions: (and thank you very much)
>
> 1. "iptables" is the name of a command that a user run to modify
> Linux's built-in packet filters. What is the name of the Linux's
> built-in filters? (I've been calling it iptables, but I think I
> may be wrong.)
>
> 2. Does the Linux's built-in packet filters use its NetFilter
> facility?
>
> 3. If Linux's built-in packet filters use NetFilter, what is its
> priority (what value is set for field "priority" in "struct
> nf_hook_ops") ?

I think it relates to this (?):
/usr/include/linux/netfilter_ipv4.h
enum nf_ip_hook_priorities {
NF_IP_PRI_FIRST = INT_MIN,
NF_IP_PRI_CONNTRACK = -200,
NF_IP_PRI_MANGLE = -150,
NF_IP_PRI_NAT_DST = -100,
NF_IP_PRI_FILTER = 0,
NF_IP_PRI_NAT_SRC = 100,
NF_IP_PRI_LAST = INT_MAX,

> 4. It Linux's built-in packet filters do not use NetFilter, then
> is it called before NetFilter or after? If this is the case,
> could you help me out by providing a function name or something?
> (I casually looked into the kernel's networking code and only
> see NetFilter being called and not built-in packet filtering.)
>
> 5. While configuring to build a kernel (make menuconfig), I see
> the option of "Network packet filtering (replaces ipchains)" .
> Does this configure the built-in filter or NetFilter ?
>
> 6. If #5 configures NetFilter, then why is "replaces ipchains"
> in the heading? I thought the new bulit-in packet filter replaces
> ipchains ?
>
> Thanks,
> Ching Tai

You might also be interested in this -- I found it myself just a short
while back ;-)
http://www.linuxjournal.com/article.php?sid=7184
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 01:12 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0