| ... | @@ -6,18 +6,25 @@ The OUTPUT chain determines how to treat an IP packet coming from with the devic |
... | @@ -6,18 +6,25 @@ The OUTPUT chain determines how to treat an IP packet coming from with the devic |
|
|
The Chain will list each rule by protocol, source and destination address & port
|
|
The Chain will list each rule by protocol, source and destination address & port
|
|
|
The target is a list of criteria to determine if the message should be handled by that target
|
|
The target is a list of criteria to determine if the message should be handled by that target
|
|
|
|
|
|
|
|
|
The filter table is used to filter (ACCEPT,REJECT or DROP) packets
|
|
|
|
There are three default chains defined for the filter table:
|
|
|
|
* The INPUT chain: Rules in this chain apply to packets just before they’re given to a local process.
|
|
|
|
* The OUTPUT chain: The rules here apply to packets just after they’ve been produced by a process.
|
|
|
|
* The FORWARD chain: The rules here apply to any packets that are routed through the current host.
|
|
|
|
|
|
|
|
A target must be applied to at least one of the above chains to be in use. A chain target that is not in use, but defined, may be used based on settings. For example, a wifi network may be configured with a quota or limited to certain hours. We do not use those settings or provide a means to configure them on our production tablets.
|
|
|
|
|
|
|
|
```mermaid
|
|
```mermaid
|
|
|
graph LR;
|
|
graph TD;
|
|
|
INPUT-->bw_input;
|
|
INPUT --> bw_input;
|
|
|
INPUT-->fw_INPUT;
|
|
INPUT --> fw_INPUT;
|
|
|
FORWARD-->oem_fwd;
|
|
FORWARD --> oem_fwd;
|
|
|
FORWARD-->fw_FORWARD;
|
|
FORWARD --> fw_FORWARD;
|
|
|
FORWARD-->natctrl_FORWARD;
|
|
FORWARD --> natctrl_FORWARD;
|
|
|
OUTPUT-->oem_out;
|
|
OUTPUT --> oem_out;
|
|
|
OUTPUT-->fw_OUTPUT;
|
|
OUTPUT --> fw_OUTPUT;
|
|
|
OUTPUT-->st_OUTPUT;
|
|
OUTPUT --> st_OUTPUT;
|
|
|
OUTPUT-->bw_OUTPUT;
|
|
OUTPUT --> bw_OUTPUT;
|
|
|
```
|
|
```
|
|
|
|
|
|
|
|
```
|
|
```
|
| ... | @@ -55,6 +62,8 @@ target prot opt source destination |
... | @@ -55,6 +62,8 @@ target prot opt source destination |
|
|
all -- anywhere anywhere ! quota globalAlert: 2097152 bytes
|
|
all -- anywhere anywhere ! quota globalAlert: 2097152 bytes
|
|
|
all -- anywhere anywhere owner socket exists
|
|
all -- anywhere anywhere owner socket exists
|
|
|
```
|
|
```
|
|
|
|
Allows incoming packets from tcp and udp ONLY if the socket was already created.
|
|
|
|
Filter all high frequency packets to prevent overloads.
|
|
|
|
|
|
|
|
```
|
|
```
|
|
|
Chain bw_OUTPUT (1 references)
|
|
Chain bw_OUTPUT (1 references)
|
| ... | @@ -62,6 +71,8 @@ target prot opt source destination |
... | @@ -62,6 +71,8 @@ target prot opt source destination |
|
|
all -- anywhere anywhere ! quota globalAlert: 2097152 bytes
|
|
all -- anywhere anywhere ! quota globalAlert: 2097152 bytes
|
|
|
all -- anywhere anywhere owner socket exists
|
|
all -- anywhere anywhere owner socket exists
|
|
|
```
|
|
```
|
|
|
|
Allows outgoing packets from tcp and udp ONLY if the socket was already created.
|
|
|
|
Filter all high frequency packets to prevent overloads.
|
|
|
|
|
|
|
|
```
|
|
```
|
|
|
Chain bw_costly_shared (0 references)
|
|
Chain bw_costly_shared (0 references)
|
| ... | @@ -164,5 +175,4 @@ target prot opt source destination |
... | @@ -164,5 +175,4 @@ target prot opt source destination |
|
|
CONNMARK all -- anywhere anywhere CONNMARK or 0x2000000
|
|
CONNMARK all -- anywhere anywhere CONNMARK or 0x2000000
|
|
|
NFLOG all -- anywhere anywhere
|
|
NFLOG all -- anywhere anywhere
|
|
|
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
|
|
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
|
|
|
root@rk312x:/ #
|
|
|
|
|
``` |
|
``` |
|
\ No newline at end of file |
|
|
