Faculty of information technology
Download 1.67 Mb. Pdf ko'rish
|
full thesis
- Bu sahifa navigatsiya:
- Operation Implementation
|
4.2.3
Custom filtering rules A user can add rules that will be applied on traffic within some group, however he cannot use them to grant some device access into a group that it is not member of. If two devices share more than one group for which there exist custom filtering rules, rules from all such groups will be applied to the traffic between them. To add support for creating custom filtering rules, a previously mentioned iptables’ cs-fw chain shall be utilized. Its structure will be similar to cs-service chain: iptables -I cs-fw –m set –set ... iptables -I cs-fw –m set –set iptables -I cs-fw -j ACCEPT 22 Operation Implementation Join group ∙ Update IP set of the group. Leave group ∙ Update IP set of the group. Create group ∙ Create an IP set. ∙ Insert 1 rule into cs-service chain. Delete group ∙ Remove 1 rule from cs-service chain. ∙ Delete an IP set. Table 4.1: Depiction of how the basic operations for management of groups can be imple- mented. Every group shall have its own chain, where filtering rules will be stored. The only allowed action for these filters is DROP. If no filter within one group chain matches a packet, the execution returns into cs-fw, and other group chains may be traversed. Thus, filters from multiple groups may be applied if some devices share more than one group. Note the last rule, which accepts all traffic that was not dropped by any of the custom filters. It represents the default firewall policy. By changing it to DROP, and custom filters to ACCEPT, the default policy could be switched. An unfortunate effect of having a rule that executes ACCEPT on established connections in the higher level chain (cs-service) is that when a new filter is added, it does not affect traffic that is marked as established in conntrack. However, once all such connection expire, it will be applied without exception. Download 1.67 Mb. Do'stlaringiz bilan baham: 
|