iptables、iproute2

• 内核；
• iptables manual: administration tool for IPv4 packet filtering and NAT.
• A Deep Dive into Iptables and Netfilter Architecture；这篇文章是一篇架构文件，阐述了基本概念、处理逻辑，极其清晰，必读。
  • iptables tool;
  • netfilter framework; kernel hooks.
  • table 是对 rules 的组织形式，在每个 table 中，rules 又组织成一条一条 chains。chains 决定了 rules 何时被 evaluated。
  • Targets：就是满足条件时要执行的动作 action，分：Terminating targets、Non-terminating targets。the jump target 就是一类特殊的 non-terminating target。用户自定义的链 就是通过 jump 机制实现的，作为固有链的简单扩展。

  • hooks

    
    Netfilter Hooks

  • 调用顺序（从上到下，从左到右）

    
    from left-to-right, from top-to-bottom
• 一个比利时人 iptables 培训材料，有图就感觉不错。有个2021年的 linux培训材料 pdf。
  The nat table in iptables adds two new chains. PREROUTING allows altering of packets before they reach the INPUT chain. POSTROUTING allows altering packets after they exit the OUTPUT chain.
• Iptables insert rule at top of tables ( PREPEND rule on Linux )
• How to list all iptables rules with line numbers on Linux
• The Beginner’s Guide to IP Tables: iptables 命令的初级概念和基本用法。
• iptables: The Linux Firewall Administration Program: 《Linux Firewalls, 3rd Edition》。
• How --set-mark option works on Netfilter (IPTABLES)?：对 mark 言简意赅。

This mark exists only as long as it's handled by the Linux kernel.
It's only purely virtual and internal, as it can have no existence on the wire. 
Depending on where it's used, it may be called firewall mark, fwmark or simply mark.

• MARK target @linuxtopia.org: MARK target 只在 mangle 表。
  Linux Packet Filtering and iptables 作者 Oskar Andreasson，看起来通俗易懂。
• “三次握手，四次挥手”你真的懂吗？
• ebtables manual: Ethernet bridge frame table administration.

About iptables

• iptables is a command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. If it doesn’t find one, it resorts to the default action.
• iptables uses three different chains: input, forward, and output.
  iptables -nvL: --numeric --verbose --list，若不指定 -t --table 表示默认 filter 表。
• --line-numbers When listing rules, add line numbers to the beginning of each rule, corresponding to that rule’s position in the chain.
• iptables -nvL INPUT: 只看 INPUT chain；
• iptables -S INPUT: like iptables-save 一窥命令；
• iptables -t filter -I INPUT 1 <rule-content>: 把规则插入到第1号。
• iptables -t filter -D INPUT <rulenum>: 删除 filter 表 INPUT 链的 rulenum 这个序号的规则（使用 --line-numbers 查看规格号 rulenum）。
• -N, --new-chain chain: Create a new user-defined chain by the given name. -S 可以查看到执行各个命令。
• -P, --policy chain target: 示例 -P INPUT ACCEPT -c 53 3952
• iptables -nvL | grep policy: Policy Chain Default Behavior，一般都是 accept。
  设置命令：iptables --policy INPUT ACCEPT
• Connection-specific Responses: Accept, Drop, Reject. 以 ping 为例，分别就是：Reply ... TTL=64，Request timed out, Destination port unreachable.
• iptables -A INPUT -s 10.10.10.10 -j DROP: --append --source --jump，在 INPUT 链上加一条规则，源于 10.10.10.10 的包全部丢弃。
• The Beginner’s Guide to iptables, the Linux Firewall；

命令 iptables -t filter -nvL

• Chain ZY_auth 阻止上网
  # iptables -t filter -nvL；Chain ZY_auth 已阻止上网

命令 iptables -t nat -nvL

• Chain ZY_host 设置跳转
• 对 nat 表，重定向到 86 端口 iptables -t nat -nvL |grep "ports 86"

# iptables -t nat -nvL | grep "ports 86"
1867  103K REDIRECT   tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 86

# iptables -t nat -nvL；Chain ZY_host 设置跳转 86 端口；

• Chain ZY_auth 已放行用户
  # iptables -t nat -nvL；Chain ZY_auth 已放行用户；

最常用 filter table，也是缺省表

• The filter table is the default table. It contains the actual firewall filtering rules. The built-in chains include these: INPUT OUTPUT FORWARD

Let us try to understand rules output:
target – Tell what to do when a packet matches the rule. Typically, you ACCEPT or REJECT or DROP the packet. You can jump to another chain too.
prot – The protocol for rule.
opt – Additional options for rule.
source – The source IP address/subnet/domain name.
destination – The destination IP address/subnet/domain name.

ethernet bridge administration

• Set Up The Bridge @ tldp.org

# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.2406f2d00068       yes             eth1.0
                                                        eth2.0
                                                        eth3.0
                                                        wl0
                                                        wl1
br1             8000.000000000000       no

• STP：Spanning Tree Protocol.

iproute2

• iproute2 is a collection of userspace utilities for controlling and monitoring various aspects of networking in the Linux kernel, including routing, network interfaces, tunnels, traffic control, and network-related device drivers.
• ifconfig vs ip: What’s Difference and Comparing Network Configuration;
  Utilities obsoleted by iproute2

网络通信解析

Packet flow in Netfilter and General Networking

• Netfilter Packet Traversal: mangle nat filter prerouting forward input output postrouting
  Netfilter Packet Traversal

网络设备驱动

网络设备驱动 七层模型和TCP/IP、dev_queue_xmit 和 netif_rx 网络结构-C语言实现 网络数据传输 dev_queue_xmit

Toybox

• A implementation of over 200 Unix command line utilities.
  BSD licenses.（和GPL区别在于基于BSD许可的开源软件所做的修改可以不开源，且在BSD上面新开发的部分可以商业使用）。
• Android's command line tools.

WiFiDog

WiFiDog 无线热点认证解决方案