what's the detail procedure of processing packets by firewall

Asked by Gavin Tian on 2011-02-22

hi, everyone,

would you like to help me ?
I want to know what's the details structure of linux firewall and details of how it classifies packets. I search internet for a long time but only find some things about how to add and delete rules for firewall, not firewall structure discussed.

As far as I know, a firewall can be stateful firewall, consisting of stateful tables which are to use store the syn packets. when the ack packets come back, this ack packet will be checked by the rules of stateful tables. If it satisfies those rules, then ack packets can pass the firewall, and the connection will be estimated. or ack will be discarded.

I wonder whether the linux firewall also works in this way and I want the details.

Thanks very much !

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu iptables Edit question
Assignee:
No assignee Edit question
Solved by:
Eliah Kagan
Solved:
2011-03-01
Last query:
2011-03-01
Last reply:
2011-02-23

You can use iptables directly using commands etc, or you can use ufw or firestarter (gnome) or guarddog (kde) to configure it.

I am unsure of the syn and ack packets but I do know that you can setup very granular rules using the tools to the extent of only allowing certain subnets or even individual hosts access to specific ports using specified protocols, but allow connectivity on a completely different subnet or host access on other ports. It's very flexible like that.

Maybe someone else can contribute but you may want to contact the iptables guys to ask as they will know their software very well.

Gavin Tian (tqjustc) said : #2

I am working on designing the firewall so I want to the details, not just the user configuration.

Thanks very much, actionparsnip

It's not clear what you mean by "designing the firewall." Do you mean you're an iptables developer and you want information about iptables is used in Ubuntu? Do you mean you're a developer on a different firewall project, and you want to gain an understanding of iptables? Do you mean you're a developer for an iptables frontend? Do you mean you wish to configure iptables on your own computer(s)?

By the way, please note that firestarter won't be supported much longer, so you're probably better off using ufw (if you want to use a frontend).

If you want general and/or technical information about iptables, see:

http://en.wikipedia.org/wiki/Iptables
http://en.wikipedia.org/wiki/Netfilter
http://www.netfilter.org/projects/iptables/index.html
http://www.netfilter.org/

If you just want to know if iptables is stateful, the answer is: yes. It is capable of allowing/blocking traffic based on what connections are currently open (as well as additional information about what's "going on"), and standard configurations of iptables take advantage of this capability; this capability is typically an integral motivating reason for using iptables. (Though you could configure it to be minimally stateful, or non-stateful, if you wanted.)

Gavin Tian (tqjustc) said : #5

Thanks Eliah Kagan, that solved my question.