注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

My Unix World

不要迷恋Unix,Unix只是计算世界很小的一部分!

 
 
 

日志

 
 

Netfilter.org  

2009-07-17 01:27:45|  分类: linux-system |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
Netfilter.org is the 4th generation firewall in Linux. Of course, Ipchains is the 3rd generation, which will be out of date now days.
This firewall contents 2 parts, Netfilter and Iptables.
Netfilter located in the kernel space, and it's a part of kernel. Here is the main feature from it's official website:
  • stateless packet filtering (IPv4 and IPv6)
  • stateful packet filtering (IPv4 and IPv6)
  • all kinds of network address and port translation, e.g. NAT/NAPT (IPv4 only)
  • flexible and extensible infrastructure
  • multiple layers of API's for 3rd party extensions
  • large number of plugins/modules kept in 'patch-o-matic' repository
And also some description of Netfilter.org copied from the official site:

netfilter.org is home to the software of the packet filtering framework inside the Linux2.4.x and 2.6.x kernel series. Software commonly associated with netfilter.org is iptables.

Software inside this framework enables packet filtering, network address [and port] translation (NA[P]T) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems.

netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.

iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target).

netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack) and the NAT subsystem together build the major parts of the framework.

There is a "Pakage Filting table" inside the kernel spaces and operated by Netfilter, and there are 3 main "Chains" default in the this table, they are "INPUT chain", "OUTPUT chain" and "FORWARD chain", and there are also other chains such as "PREROUTING chain" and "POSTROUTING chain", we can also add new chains of ourselves.
Iptables is a user lay utility which used to operates and manage the "Package Filtting table".
Note: The user defined Filtting rule will also be loaded into the kernel space.

For more detailed info, refer to the man page or wikipedia.
  评论这张
 
阅读(267)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017