Download at in Font

Creation Data Matrix 2d barcode in Font Download at

modifications, traffic classification, and shaping. It can use any inspection point. The use of the mangle table is beyond the scope of this book. Each table contains a number of chains. You can think of a chain as a list of rules or instructions to apply to each packet that passes through this point in the network stack. For each inspection point in a table, a default chain is created. You can also add more chains to the table. A chain rule might be to allow or drop a packet or to forward it to another chain for further processing. The rules in the chain are processed in order from first to last. When a rule is found to match the packet, the target associated with that rule is applied and in most circumstances, the processing stops. The name chain comes from the ability to jump or chain from one rule to another list of rules. Already you can see that netfilter can be quite complex, and we have not started to look at the packet-matching options. There are many valid ways in which chains can be constructed. CentOS provides a default configuration, which is a good starting point. The default creates a chain called RH Firewall 1 INPUT, which is configured to process all packets coming into the network stack and all packets being forwarded by the routing code. This is done by adding to the INPUT and FORWARD chains a rule that unconditionally chains to the RH Firewall 1 INPUT chain. A packet that enters the network card on the server may be destined for an application running on the server, or it may need to be forwarded to another server. The concept of input is defined in relation to the application on the server: A packet coming from the network to an application will follow the INPUT chain. A packet coming from the application will follow the OUTPUT chain. A packet, coming in from the network, that will be routed to another host will follow the FORWARD chain. Although we combine INPUT and FORWARD into one chain, we can still retain fine control by matching based on source and destination address. It is also possible to restrict outgoing packets, but for most general-purpose servers that is not necessary. A firewall is implemented by filtering out unwanted packets. Some firewall implementations can only filter based on connection requests and destination ports. This means that a large range of ports has to be left open to allow outgoing connections to function correctly. Because of the way TCP works, each end of the connection (the client and the server) needs to have a port number. The server port number is normally what is called a well-known port number. For example, http uses port 80. The client port number is normally chosen at random by the kernel, often from a high range of port numbers between around 32,000 and 64,000. Once a TCP connection has been established, the client and the server operate in the same way, so if a single packet is inspected in isolation, it is impossible to know if it belongs to an incoming server connection or an outgoing client connection. If packets with a high port number are not permitted, the host will be unable to make outgoing connections. This does not effectively prevent unwanted connections, because a service listening on a high-numbered port will always be permitted. To solve these problems, netfilter has the capability to perform what is called stateful packet inspection. This means it can track the current connections and filter packets based on the direction of the connection. This allows outgoing connections to function correctly without having to set aside ports for them. Another benefit of a stateful firewall is that it can relate multiple connections to each other. This is useful for some protocols such as Active FTP. In the Active FTP protocol, the client initiates a connection to the well-known port on the server (21). When the client requests a file from the server, the server opens a new connection back to the client. This means that the client is also acting as a server. Unless the client firewall allows this incoming connection, the file transfer will fail. Netfilter has a module that can be loaded to extend its functionality so it can understand the FTP protocol. Once this module is active, it will see when FTP traffic is operating and needs to establish an incoming connection. It can allow this specific connection to succeed without having to open any new ports.