hualinux ros 1.10：RouterOS firewall防火墙资料及理解

ROS防火墙基础知识详解

最新推荐文章于 2025-03-13 15:15:26 发布

原创

最新推荐文章于 2025-03-13 15:15:26 发布 · 3.5k 阅读

19 ·

CC 4.0 BY-SA版权

文章标签：

#hualinux ros #ros防火墙 #ros firewall #routeros防火墙 #routeros

本文主要介绍ROS防火墙基础知识，包括连接状态、过滤表、NAT地址转换表、Mangle表等概念，还讲解了各表链的作用及相关流程图。指出很多人对防火墙理解有偏差，建议结合ROS官方文档和Linux的iptables深入学习。

6.1 关于Prerouting和Postrouting表链的理解

6.1.1 Prerouting和Postrouting的关系

6.1.2 Prerouting和Postrouting例子

七、包流程图

前面花了几章讲了ros常用命令，相信大家都知道了学习命令的正确打开方式：不要死背，不断使用?帮助和tab补全。

本章开始讲一下ros firewall防火墙一些基础知识，我上传的csdn中的ros入门教程中第九章讲了防火墙过滤和第十三章讲了Mangle分类标记，这里我就不重复已有的东西了。

本章主要是讲防火墙基础知识的理解，还有相关的资料

一、为什么要讲防火墙的基础理解

主要我发现很多人都防火墙的理解不到位，主要还是基础不扎实的原因，总是理解有些偏差。包括我刚刚学的时候，同一接口一会儿变出口，一会儿变入口，而且每个教程讲的好像都不太一样。

当理解有偏差，讲的不一样的时候，直接去看官网原版是不错的选择。

二、学习防火墙方面的资料

ros 防火墙是基于linux的iptables的，先理解ros官方的Firewall，再去看一下linux的iptables结合起来会理解会更深入一点。

我发现一个专讲iptables防火墙系列的网站，感觉不错，我已经上传到csdn中供下载，初学者只需要看第1章《iptables详解（1）：iptables概念》其实就是理解一张图的大概流程

三、firewall基础理解：连接状态

ros防火墙的连接状态，ros官网文档对防火墙已经做出一解释，

NEW - The NEW state tells us that the packet is the first packet that we see. This means that the first packet that the conntrack module sees, within a specific connection, will be matched. For example, if we see an SYN packet and it is the first packet in a connection that we see, it will match;

ESTABLISHED - The ESTABLISHED state has seen traffic in both directions and will then continuously match those packets. ESTABLISHED connections are fairly easy to understand. The only requirement to get into an ESTABLISHED state is that one host sends a packet and that it, later on, gets a reply from the other host. The NEW state will upon receipt of the reply packet to or through the firewall change to the ESTABLISHED state;

RELATED - A connection is considered RELATED when it is related to another already ESTABLISHED connection. For a connection to be considered as RELATED, we must first have a connection that is considered ESTABLISHED. The ESTABLISHED connection will then spawn a connection outside of the main connection. The newly spawned connection will then be considered RELATED, for example, a packet that begins the FTP data connection;

INVALID - The INVALID state means that the packet can't be identified or that it does not have any state. It is suggested to DROP everything in this state;

UNTRACKED - A packet that was set to bypass connection tracking in the Firewall RAW table;