*NIX

Feb. 12, 2009, 3:49 a.m.
posted by whitehat

Using User-Defined Chains



Using User-Defined Chains

As you may remember, you can configure iptables to have user-defined chains. This feature is frequently used to help streamline the processing of packets. For example, instead of using a single, built-in chain for all protocols, you can use the chain to determine the protocol type for the packet and then hand off the actual final processing to a user-defined, protocol-specific chain in the filter table. In other words, you can replace a long chain with a stubby main chain pointing to multiple stubby chains, thereby shortening the total length of all chains the packet has to pass through. For example:

     ipFigureA INPUT -i eth0 -d 206.229.110.2 -j fast-input-queue
     ipFigureA OUTPUT -o eth0 -s 206.229.110.2 -j fast-output-queue

     ipFigureA fast-input-queue  -p icmp -j icmp-queue-in
     ipFigureA fast-output-queue -p icmp -j icmp-queue-out

     ipFigureA icmp-queue-out -p icmp --icmp-type echo-request \
              -m state --state NEW -j ACCEPT

     ipFigureA icmp-queue-in -p icmp --icmp-type echo-reply -j ACCEPT

Here six queues help assist in improving processing speed. Figure summarizes the function of each.

Custom Queues Example Listing

Chain

Description

INPUT

The regular built-in INPUT chain in iptables

OUTPUT

The regular built-in OUTPUT chain in iptables

fast-input-queue

Input chain dedicated to identifying specific protocols and shunting the packets to protocol specific chains

fast-output-queue

Output chain dedicated to identifying specific protocols and shunting the packets to protocol specific chains

icmp-queue-out

Output queue dedicated to ICMP

icmp-queue-in

Input queue dedicated to ICMP


     Python   SQL   Java   php   Perl 
     game development   web development   internet   *nix   graphics   hardware 
     telecommunications   C++ 
     Flash   Active Directory   Windows