LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-28-2011, 12:08 AM   #16
theuser
LQ Newbie
 
Registered: Jun 2011
Posts: 18

Original Poster
Rep: Reputation: Disabled

That is a great distinction.

So I will define netfilter as:
the packet filtering framework inside the Linux 2.4.x and 2.6.x kernel series

and iptables as:
the command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset

What do you think?

By the way, if netfilter is part of the kernel itself, does it mean that is the only way to filter packets?

Is it possible to uninstall netfilter and install another thing?

Kind regards.
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 06-28-2011, 05:03 AM   #17
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
I am a bit late coming to this thread, but I thought I would mention for anyone who comes across it that the link win32sux posted above, to Oskar Andreasson's tutorial is hands down, the most comprehensive tutorial I have ever seen on iptables. Where have you been hiding this gem, win32sux?
 
Old 06-29-2011, 01:33 AM   #18
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by theuser View Post
That is a great distinction.

So I will define netfilter as:
the packet filtering framework inside the Linux 2.4.x and 2.6.x kernel series
And now the 3.0.x series too, right?

Quote:
and iptables as:
the command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset
Sounds good to me. If you're doing this as part of a paper for school, make sure you follow the citation/reference rules your school uses. Otherwise, it'll look like you're plagiarizing.

Quote:
By the way, if netfilter is part of the kernel itself, does it mean that is the only way to filter packets?

Is it possible to uninstall netfilter and install another thing?
I'm sure it's not only possible, but also quite feasible (given the freely-available source code). That said, I don't really know if anyone's put together such a patch. I do remember having run into at least one thread here in LQSEC where the poster was looking to do precisely that (albeit such a thread would have been moved to Programming), but I don't recall how things played out.

Quote:
Originally Posted by Noway2 View Post
Where have you been hiding this gem, win32sux?
LOL! Right next to the rock you've apparently just crawled out from under.

Last edited by win32sux; 06-29-2011 at 01:40 AM.
 
Old 06-30-2011, 12:45 AM   #19
theuser
LQ Newbie
 
Registered: Jun 2011
Posts: 18

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by win32sux
And now the 3.0.x series too, right?
Wait... I thought the current kernel series was 2.6.x...

1. Is the 3.0.x series already released?

2. What happened with 2.8.x?

Kind regards.

Last edited by theuser; 06-30-2011 at 12:47 AM.
 
Old 06-30-2011, 02:35 AM   #20
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by theuser View Post
Wait... I thought the current kernel series was 2.6.x...

1. Is the 3.0.x series already released?

2. What happened with 2.8.x?

Kind regards.
Linux 3.0 is at RC5 as of yesterday, so it should be released RSN.

To get an idea of why the jump from 2.6.39 to 3.0 was made, check this out.
 
Old 06-30-2011, 07:37 AM   #21
theuser
LQ Newbie
 
Registered: Jun 2011
Posts: 18

Original Poster
Rep: Reputation: Disabled
Great, thanks for the link.

What is RSN?
 
Old 07-01-2011, 12:24 AM   #22
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by theuser View Post
Great, thanks for the link.
Sure, no problem.

Quote:
What is RSN?
Real soon now.
 
Old 07-01-2011, 08:57 AM   #23
theuser
LQ Newbie
 
Registered: Jun 2011
Posts: 18

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by win32sux
Real soon now.
Great .

So, recapitulating:

Netfilter:
The packet filtering framework inside the Linux 2.4.x, 2.6.x and 3.0.x kernel series

Iptables:
The command line program used to configure the Linux 2.4.x, 2.6.x and 3.0.x IPv4 packet filtering ruleset

Good enough?
 
Old 07-01-2011, 10:46 PM   #24
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Sounds okay to me.
 
Old 07-06-2011, 11:45 AM   #25
theuser
LQ Newbie
 
Registered: Jun 2011
Posts: 18

Original Poster
Rep: Reputation: Disabled
Hello guys.

I just need to confirm some conclusions I made for my test:

1. every incoming DNATed packet goes necessarily to FORWARD
2. every outgoing SNATed packet not necessarily comes from FORWARD
3. every forwarded packet was DNATed and will be SNATed

Kind regards and thanks for the patience.
 
Old 07-13-2011, 05:18 PM   #26
theuser
LQ Newbie
 
Registered: Jun 2011
Posts: 18

Original Poster
Rep: Reputation: Disabled
Anyone here?
 
Old 07-14-2011, 12:23 AM   #27
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
FWIW, #3 seems incorrect to me, as both DNAT and SNAT are optional.
 
Old 07-14-2011, 01:38 AM   #28
theuser
LQ Newbie
 
Registered: Jun 2011
Posts: 18

Original Poster
Rep: Reputation: Disabled
I got the conclusion 3 when I asked myself what happens with a packet when is forwarded.

I thought: is DNATed in PREROUTING and SNATed in POSTROUTING.
 
Old 07-14-2011, 10:24 AM   #29
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Just because a packet traverses those chains doesn't mean it will get sent to those targets.
 
Old 07-14-2011, 10:37 AM   #30
theuser
LQ Newbie
 
Registered: Jun 2011
Posts: 18

Original Poster
Rep: Reputation: Disabled
No, you are right, not every packet is DNATed when it goes through PREROUTING.

But like I said in the first 2 points:
1. every incoming DNATed packet goes necessarily to FORWARD
2. every outgoing SNATed packet not necessarily comes from FORWARD

In 1, DNAT happens in PREROUTING
In 2, SNAT happens in POSTROUTING (necessarily if it comes from FORWARD and optionally if it comes from OUTPUT).

That's why I concluded point 3:
3. every forwarded packet was DNATed and will be SNATed
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
postrouting all except one yawe_frek Linux - Networking 2 12-22-2007 11:13 PM
advantages and disadvantages of nat prerouting / postrouting? Teomari Linux - Networking 2 04-13-2007 09:28 PM
POSTROUTING or PREROUTING czezz Linux - Networking 2 01-23-2006 01:42 PM
mark set on PREROUTING stays until POSTROUTING? eantoranz Linux - Networking 3 07-26-2005 06:50 PM
POSTROUTING just stopped? ryedunn Linux - Networking 9 01-10-2005 10:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:35 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration