4285ch01.fm Draft Document for Review May 4, 2007 11:35 am
30 Linux Performance and Tuning Guidelines
ACCEPT: Accept the packet and let it through.
DROP: Silently discard the packet.
REJECT: Discard the packet with sending back the packet such as ICMP port
unreachable, TCP reset to originating host.
LOG: Logging matching packet.
MASQUERADE, SNAT, DNAT, REDIRECT:Address translation
Connection tracking
To achieve more sophisticated firewall capability, Netfilter employes the connection tracking
mechanism which keeps track of the state of all network traffic. Using the TCP connection
state (refer to “Connection establishment” on page 30) and other network properties (such as
IP address, port, protocol, sequence number, ack number, ICMP type etc.), Netfilter classifies
each packet to the following four states.
NEW: packet attempting to establish new connection
ESTABLISHED: packet goes through established connection
RELATED: packet which is related to previous packets
INVALID: packet which is unknown state due to malformed or invalid packet
In addition, Netfilter can use a separate module to perform more detailed connection tracking
by analyzing protocol specific properties and operations. For example, there are connection
tracking modules for FTP, NetBIOS, TFTP, IRC and so on.
1.5.2 TCP/IP
TCP/IP has been default network protocol for many years. Linux TCP/IP implementation is
fairly compliant with its standards. For better performance tuning, you should be familiar with
basic TCP/IP networking.
For additional detail refer to the following documentation:
TCP/IP Tutorial and Technical Overview, SG24-3376.
Connection establishment
Before application data is transferred, the connection should be established between client
and server. The connection establishment process is called TCP/IP 3-way hand shake.
Figure 1-27 on page 31 outlines basic connection establishment and termination process.
1. A client sends a SYN packet (a packet with SYN flag set) to its peer server to request
connection.
2. The server receives the packet and sends back SYN+ACK packet
3. Then the client sends an ACK packet to its peer to complete connection establishment.
Once the connection is established, the application data can be transferred through the
connection. When all data has been transferred, the connection closing process starts.
1. The client sends a FIN packet to the server to start the connection termination process.
2. The server sends the acknowledgement of the FIN back and then sends the FIN packet to
the client if it has no data to send to the client.
3. Then the client sends an ACK packet to the server to complete connection termination.