A good quality of service on existing networks requires a correct implementation of two functions: performance guarantee and routing policies. The policy routing are used to allocate resources to priority applications, working groups or servers. With the constant increase in the volume of traffic on networks, performance guarantees are obtained by controlling the bandwidth according to policies of routings.
The core of GNU / Linux system has all the elements to adjust policies (or organization) working groups to political routing of a flexible and dynamic.
5.5. Access Control
The options traffic control are designed layout flows network. There are several techniques to control access to these flows.
5.5.1. The translation of addresses
There are 2 modes of operation for the translation of addresses with GNU / Linux:
1. The translation of addresses was first implemented in a static in the iproute2 package; at the time of the series 2.2.xx Kernel. The syntax is like:
# Nat iproute add 192.200.1.0/24 via 193.233.7.64
The page Linux IP NETWORK ADDRESS TRANSLATION brings together all the historical references on this mode of translation static.
2. The dynamic address translation has been a huge success thanks to MASQUERADING. It is this feature that allows access to share a private network between several guests from a single address public Internet. The syntax is like:
# Iptables-t nat-A POSTROUTING-o ppp0-j MASQUERADE
This feature is part of the filtering system network that includes a Linux kernel (kernelspace) called netfilter and a tool user (userspace) called iptables.
With the arrival of kernels 2.4.xx, translating addresses Linux has benefited from a decision-making mechanism that controls exactly the changes address before or after the routing decision. _____ _____
/ \ / \
PREROUTING -> [Routing ]—————–> POSTROUTING —–>
\ D-NAT / [decision] \ S-NAT /
| ^
| |
| |
| |
| |
| |
Local ——–> Process ——
The diagram above is an excerpt from Linux 2.4 NAT HOWTO.
The translation of source addresses (S-NAT) uses the chain POSTROUTING. This translation is to use a router-type agency.
The translation of destination addresses (D-NAT) uses the PREROUTING chain. Combined with filtering rules outlined below, it allows a rewrite addresses the following Internet services (port numbers TCP / UDP source or destination) to treat.
Translation destination address
Address Translation destination - complete overview
With the diagram above, the syntax to be applied to the firewall with translation destination address for the Web service is like:
# Iptables-t nat-A PREROUTING-p tcp - dport 80-i eth0 \
j-DNAT - to 192.168.0.3:8080
5.5.2. The packet filtering
The whole kernel and user software project netfilter / iptables means the access control mechanism of the Linux kernel. It lays down rules for transmission or separation between network connections.
Compared to IPChains, the filtering system of the previous generation, netfilter / iptables is much more comprehensive and rigorous (compliance with RFCs) in the coding rules.
The major improvement is the connection tracking or filtering through tables statements (StateFul inspection). By maintaining the status of a connection, the filtering mechanism is able to associate a server (IP + port number) to a client (IP + port number). Thus, we can control as windows, numbers acquittal and sequences correspond to a single transaction.
Once the status of a TCP connection known, it has 3 policies (or choice) for each filtering rule:
1. ACCEPT: accept the packages.
2. DROP: refuse packages without telling the issuer.
3. REJECT: refuse packages by pointing to the issuer by activating the RST bit in the case of a TCP connection transport or issuing an ICMP packet in the case of a transaction UDP.
A rule with its policy applies to an interface. Each interface has 3 channel 1. INPUT: packages are screened upon arrival on the interface.
2. FORWARD: packages are filtered at the crossing of the machine. The rule is then applied to input and output.
3. OUTPUT: packages are filtered out of the interface.
_____
Entry / \ Release
–> [Decision ]—>| FORWARD |——->
[routing] \ ^ _____/
| |
v ____
___ / \
/ \ | OUTPUT |
| INPUT | \ ____/
\ ___ / ^
| |
—-> Process local —-
The diagram above is an excerpt from Linux 2.4 Packet Filtering HOWTO.