Application (Linux firewall, QoS and route): Linux iptables and iproute2

# Application (Linux firewall, QoS and route): Linux iptables and iproute2 ###### tags: `linux` `netfilter` `QoS` <style> .blue { color: blue; } .bgblue { color: blue; font-size: 24px; } .red { color: red; font-size: 24px; } h1 {text-align: center;} </style> Author: WhoAmI email: kccddb@gmail.com Date: 20230606 Copyright: CC BY-NC-SA ![](https://i.imgur.com/sVOPJdJ.jpg) --- QoS(Quality of Service) 是 Scheduling, Traffic shaping & Queueing 的整合運用~是一很困難的決策問題 **有限的資源分享(Resource Allocation)~一定有好有壞** tc (traffic control), ip route... ![](https://i.imgur.com/q0Y38Ff.png) :::warning When $n=m$, $\lambda_{1}: \lambda_{2}: ... :\lambda_{n} = \mu_1: \mu_2:...:\mu_n$ ??? 其實並不是很正確沒有考慮 statistical multiplexing 特性 ::: ![](https://i.imgur.com/dVBGyhg.jpg) e.g., [CBQ - Class Based Queueing](https://www.linux.org/docs/man8/tc-cbq.html) [Linux Advanced Routing & Traffic Control HOWTO](https://tldp.org/HOWTO/Adv-Routing-HOWTO/) ![](https://i.imgur.com/bmpGm3r.jpg) ![](https://i.imgur.com/YnyhldO.jpg) ![](https://i.imgur.com/tigGj8X.png) ![](https://i.imgur.com/fvvOzGN.jpg) ![](https://i.imgur.com/IZMk0HS.jpg) 網路程式設計要考慮 timeout 的問題, 例如 ```c= struct timeval timeout; timeout.tv_sec = 10; timeout.tv_usec = 0; if (setsockopt (sockfd, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof timeout) < 0) perror("setsockopt failed\n"); if (setsockopt (sockfd, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof timeout) < 0) perror("setsockopt failed\n"); ``` ![](https://i.imgur.com/GzNZjtB.jpg) ![](https://i.imgur.com/l9XNPtr.jpg) :::info **policy routing:** [ahu@home ahu]$ ip route list table local broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 local 10.0.0.1 dev eth0 proto kernel scope host src 10.0.0.1 broadcast 10.0.0.0 dev eth0 proto kernel scope link src 10.0.0.1 local 212.64.94.251 dev ppp0 proto kernel scope host src 212.64.94.251 broadcast 10.255.255.255 dev eth0 proto kernel scope link src 10.0.0.1 broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 local 212.64.78.148 dev ppp2 proto kernel scope host src 212.64.78.148 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 **traffic control:** tc qdisc add dev eth1 root handle 1: cbq bandwidth 10Mbit allot 1514 \ cell 8 avpkt 1000 mpu 64 tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 10Mbit \ rate 10Mbit allot 1514 cell 8 weight 1Mbit prio 8 maxburst 20 \ avpkt 1000 [Using NFQUEUE and libnetfilter_queue](https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/) [ Modifying Network Traffic with NFQUEUE and ARP Spoofing](https://www.apriorit.com/dev-blog/598-linux-mitm-nfqueue) **Load balancing:** ip route add default scope global nexthop via $P1 dev $IF1 weight 1 nexthop via $P2 dev $IF2 weight 1 ::: --- ![](https://i.imgur.com/ZZ0pha5.jpg) [A Deep Dive into Iptables and Netfilter Architecture](https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture) [connection tracting, e.g., ftp](https://lxr.linux.no/linux+v6.0.9/net/netfilter/) **懂這張圖 NETFILTER & HOOK~其餘就是 iptables, tc, ip route 指令運用** e.g., echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE [iptables：Linux Iptables to block syn-flood attacks](https://intrepidgeeks.com/tutorial/iptableslinux-iptables-to-block-synflood-attacks#:~:text=Syn%20flood%20is%20common%20attack%20and%20it%20can,%EB%8B%88%20%EB%8B%A4.%20%EC%97%B0%EA%B2%B0%20%EC%9D%84%20%EC%8B%9C%EC%9E%91%20%ED%95%A9%20%EB%8B%88%20%EB%8B%A4.%5D) Network Programming: [linux man listen~ int listen(int sockfd, int **backlog**);](https://www.man7.org/linux/man-pages/man2/listen.2.html) The **backlog** argument defines the maximum length to which the queue of pending connections for sockfd may grow. <h1> <span class="red">NETFILTER & HOOK</span> </h1> --- ![](https://i.imgur.com/i3Wdad8.jpg) :::info Why? DNAT (Destination Network Address Translation) 為何於PREROUTING? SNAT(Source Network Address Translation) 為何於 POSTROUTING? ::: --- iptables https://www.netfilter.org/ netfilter.org is home to the software of the packet filtering framework inside the Linux 2.4.x and later kernel series. Software commonly associated with netfilter.org is iptables. :::info kernel source: [linux kernel~netfilter](https://lxr.linux.no/linux+v6.0.9/net/netfilter/) [Linux kernel~bridge](https://lxr.linux.no/linux+v6.0.9/net/bridge/) ::: HOWTO https://www.netfilter.org/documentation/index.html#documentation-howto Ubuntu [Iptables is a firewall, installed by default on all official Ubuntu distributions (Ubuntu, Kubuntu, Xubuntu).](https://help.ubuntu.com/community/IptablesHowTo) --- **Principle** Netfilter Architecture (a)[ hook (in Linux kernel)](https://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO-3.html) [iptables/ip6tables — administration tool for IPv4/IPv6 packet filtering and NAT](https://www.man7.org/linux/man-pages/man8/iptables.8.html) Application: iptables 基本使用 [ THE BEGINNER’S GUIDE TO IPTABLES, THE LINUX FIREWALLKORBIN BROWN FEBRUARY 6, 2014, 12:34PM EDT](https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/) Iptables Essentials: Common Firewall Rules and Commands PostedAugust 10, 2015 731.8kviews FIREWALL CENTOS UBUNTU manicas Mitchell Anicas (有 Ubuntu 安裝 iptables 工具的方法) https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands ![](https://i.imgur.com/gVKFCpc.jpg) (b)Connection Tracking (c)[SNAT/DNAT/MASQUERADE Understanding NAT The Two Types of NAT Controlling What To NAT](https://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO-4.html#ss4.3) ![](https://i.imgur.com/MuHb1ty.jpg) ![](https://i.imgur.com/fqb1TDL.jpg) ![](https://i.imgur.com/2MGEnZ9.jpg) Q:ICMP 如何處理? :::info [ebtables/iptables interaction on a Linux-based bridge](https://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html#section1) ::: ****************************************** Spacial Application (user mode) Using the libipq library and the `ip_queue' module, almost anything which can be done inside the kernel can now be done in userspace. Packet Handling in Userspace iproute2 請盡可能用 ip route ...代替 route ip addr ... 代替 ifconfig http://www.policyrouting.org/iproute2.doc.html [Linux Advanced Routing Tutorial by Michal Ludvig on September 12, 201](https://www.linuxjournal.com/content/linux-advanced-routing-tutorial) [以太網詳解（一）-MAC/PHY/MII/RMII/GMII/RGMII基本介紹](https://www.twblogs.net/a/5cabcc54bd9eee5b1a07c83e) 如果有空可以了解 Bridge! 其實這也很重要! [Content-addressable memory (CAM) & Ternary CAM (TCAM, 0, 1, and “don’t care”)](https://en.wikipedia.org/wiki/Content-addressable_memory#Ternary_CAMs) [Basics: What is Ternary Content Address Memory (TCAM) ?](https://etherealmind.com/basics-what-is-ternary-content-address-memory-tcam/) **Linux Bridge** ![](https://i.imgur.com/HLCKSeo.png) **hash function 的設計要降低 collision 的機率** ```c= https://lxr.linux.no/linux-old+v2.4.31/net/bridge/br_fdb.c#L55 55static __inline__ int br_mac_hash(unsigned char *mac) 56{ 57 unsigned long x; 58 59 x = mac[0]; 60 x = (x << 2) ^ mac[1]; 61 x = (x << 2) ^ mac[2]; 62 x = (x << 2) ^ mac[3]; 63 x = (x << 2) ^ mac[4]; 64 x = (x << 2) ^ mac[5]; 65 66 x ^= x >> 8; 67 68 return x & (BR_HASH_SIZE - 1); 69} ``` brctl addbr mybridge1 brctl addif mybridge eth0 brctl addif mybridge eth1 ifconfig eth0 0.0.0.0 ifconfig eth1 0.0.0.0 **Put up the bridge.** ifconfig mybridge up **Optionally** ifconfig mybridge 192.168.100.5 netmask 255.255.255.0 up **Try:** brctl showmacs mybridge1 **NIC entered promiscuous mode** ![](https://i.imgur.com/KOErvrd.jpg) https://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/set-up-the-bridge.html **vlan+bridge** [An introduction to Linux bridging commands and features](https://developers.redhat.com/articles/2022/04/06/introduction-linux-bridging-commands-and-features#) ![](https://i.imgur.com/R9zYiOK.jpg) ![](https://i.imgur.com/SQcb0JO.png) [Linux Port Forwarding Using iptables](https://www.systutorials.com/port-forwarding-using-iptables/) **QoS:** [Linux Advanced Routing & Traffic Control HOWTO](https://tldp.org/HOWTO/Adv-Routing-HOWTO/) [NFQUEUE 適合研究所的學生可以方便於 user space 修改 packet](https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/#:~:text=NFQUEUE%20is%20an%20iptables%20and%20ip6tables%20target%20which,box%3A%20iptables%20-A%20INPUT%20-j%20NFQUEUE%20--queue-num%200) :::info See Around [Linux CBQ](https://www.linux.org/docs/man8/tc-cbq.html): Sally Floyd and Van Jacobson, "Link-sharing and Resource Management Models for Packet Networks", IEEE/ACM Transactions on Networking, Vol.3, No.4, 1995 [Iptables Tutorial 1.1.19](https://www.linuxhowtos.org/Security/iptables.pdf) [iptables 3: 动作MARK NFQUEUE](https://blog.csdn.net/weixin_42639771/article/details/89352109) [nf_queue改包](https://blog.csdn.net/oceansw/article/details/80769377?utm_medium=distribute.pc_relevant.none-task-blog-2~default~baidujs_baidulandingword~default-9-80769377-blog-89352109.235^v36^pc_relevant_default_base&spm=1001.2101.3001.4242.6&utm_relevant_index=10) [Learn HTTPS (SSL)](https://www.tutorialsteacher.com/https) [Secure programming with the OpenSSL API](https://developer.ibm.com/tutorials/l-openssl/) [The Top 5 Open-Source NIDS Solutions](https://logz.io/blog/5-open-source-nids/) ::: ![](https://i.imgur.com/8dxBIrX.gif)