Netfilter Hooks
There are fivenetfilter hooks that programs can
register with. As packets progress through the stack, they will trigger
the kernel modules that have registered with these hooks. The hooks
that a packet will trigger depends on whether the packet is incoming or
outgoing, the packet's destination, and whether the packet was dropped
or rejected at a previous point.The following hooks represent various well-defined points in the networking stack:
NF_IP_PRE_ROUTING: This hook will be triggered by any incoming traffic very soon after entering the network stack. This hook is processed before any routing decisions have been made regarding where to send the packet.NF_IP_LOCAL_IN: This hook is triggered after an incoming packet has been routed if the packet is destined for the local system.NF_IP_FORWARD: This hook is triggered after an incoming packet has been routed if the packet is to be forwarded to another host.NF_IP_LOCAL_OUT: This hook is triggered by any locally created outbound traffic as soon it hits the network stack.NF_IP_POST_ROUTING: This hook is triggered by any outgoing or forwarded traffic after routing has taken place and just before being put out on the wire.
Assuming that the server knows how to route a packet and that the firewall rules permit its transmission, the following flows represent the paths that will be traversed in different situations:
- Incoming packets destined for the local system:
PREROUTING->INPUT - Incoming packets destined to another host:
PREROUTING->FORWARD->POSTROUTING - Locally generated packets:
OUTPUT->POSTROUTING
PREROUTING chains of the raw, mangle, and nat tables. It will then traverse the INPUT chains of the mangle, filter, security, and nat tables before finally being delivered to the local socket.@reference_1_digitalocean.com
A Deep Dive into Iptables and Netfilter Architecture
No comments:
Post a Comment