Application (Linux firewall, QoS and route): Linux iptables and iproute2

tags: linux netfilter QoS

Author: WhoAmI
email: kccddb@gmail.com

Date: 20230606
Copyright: CC BY-NC-SA

QoS(Quality of Service) 是 Scheduling, Traffic shaping & Queueing 的整合運用~是一很困難的決策問題

有限的資源分享(Resource Allocation)~一定有好有壞

tc (traffic control), ip route…

e.g.,
CBQ - Class Based Queueing

Linux Advanced Routing & Traffic Control HOWTO

網路程式設計 要考慮 timeout 的問題, 例如

struct timeval timeout;      
    timeout.tv_sec = 10;
    timeout.tv_usec = 0;
    
    if (setsockopt (sockfd, SOL_SOCKET, SO_RCVTIMEO, &timeout,
                sizeof timeout) < 0)
        perror("setsockopt failed\n");

    if (setsockopt (sockfd, SOL_SOCKET, SO_SNDTIMEO, &timeout,
                sizeof timeout) < 0)
        perror("setsockopt failed\n");

A Deep Dive into Iptables and Netfilter Architecture

connection tracting, e.g., ftp

懂這張圖 NETFILTER & HOOK~其餘 就是 iptables, tc, ip route 指令運用
e.g.,

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables：Linux Iptables to block syn-flood attacks

Network Programming:
linux man listen~ int listen(int sockfd, int backlog);

The backlog argument defines the maximum length to which the queue of pending connections for sockfd may grow.

NETFILTER & HOOK

iptables

https://www.netfilter.org/

netfilter.org is home to the software of the packet filtering framework inside the Linux 2.4.x and later kernel series. Software commonly associated with netfilter.org is iptables.

HOWTO
https://www.netfilter.org/documentation/index.html#documentation-howto

Ubuntu
Iptables is a firewall, installed by default on all official Ubuntu distributions (Ubuntu, Kubuntu, Xubuntu).

Principle

Netfilter Architecture

(a) hook (in Linux kernel)

iptables/ip6tables — administration tool for IPv4/IPv6 packet filtering and NAT

Application:
iptables 基本使用

THE BEGINNER’S GUIDE TO IPTABLES, THE LINUX FIREWALLKORBIN BROWN FEBRUARY 6, 2014, 12:34PM EDT

Iptables Essentials: Common Firewall Rules and Commands
PostedAugust 10, 2015 731.8kviews FIREWALL CENTOS UBUNTU
manicas
Mitchell Anicas
(有 Ubuntu 安裝 iptables 工具的方法)
https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands

(b)Connection Tracking

©SNAT/DNAT/MASQUERADE
Understanding NAT
The Two Types of NAT
Controlling What To NAT

Q:ICMP 如何處理?

Spacial Application (user mode)

Using the libipq library and the `ip_queue' module, almost anything which can be done inside the kernel can now be done in userspace.
Packet Handling in Userspace

iproute2

請盡可能用

ip route …代替 route

ip addr … 代替 ifconfig

http://www.policyrouting.org/iproute2.doc.html

Linux Advanced Routing Tutorial
by Michal Ludvig on September 12, 201

以太網詳解（一）-MAC/PHY/MII/RMII/GMII/RGMII基本介紹

如果有空可以了解 Bridge! 其實這也很重要!

Content-addressable memory (CAM) & Ternary CAM (TCAM, 0, 1, and “don’t care”)

Basics: What is Ternary Content Address Memory (TCAM) ?

Linux Bridge

https://lxr.linux.no/linux-old+v2.4.31/net/bridge/br_fdb.c#L55

 55static __inline__ int br_mac_hash(unsigned char *mac)
  56{
  57        unsigned long x;
  58
  59        x = mac[0];
  60        x = (x << 2) ^ mac[1];
  61        x = (x << 2) ^ mac[2];
  62        x = (x << 2) ^ mac[3];
  63        x = (x << 2) ^ mac[4];
  64        x = (x << 2) ^ mac[5];
  65
  66        x ^= x >> 8;
  67
  68        return x & (BR_HASH_SIZE - 1);
  69}

brctl addbr mybridge1
brctl addif mybridge eth0
brctl addif mybridge eth1
ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0

Put up the bridge.
ifconfig mybridge up

Optionally
ifconfig mybridge 192.168.100.5 netmask 255.255.255.0 up

Try:
brctl showmacs mybridge1

NIC entered promiscuous mode

https://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/set-up-the-bridge.html

vlan+bridge
An introduction to Linux bridging commands and features

Linux Port Forwarding Using iptables

QoS:
Linux Advanced Routing & Traffic Control HOWTO

NFQUEUE 適合研究所的學生 可以方便於 user space 修改 packet