Research And Implementation Of State Inspection Firewall Based On Netfilter In Linux Kernel

With the development of the Internet, the degree of social informationization have continuously grown, network has stretched into every aspect of society, which brings enormous economic and social benefits, but it also brings security risks that can not be overlooked.Firewall is a network security mechanism which was safe, effective and widely used. But the traditional packet filtering firewall only analysis the data which was on the data packet's IP address, protocol and port, not supportting application layer protocol, so it is difficult to protect the safety of intranet .Gateway application proxy firewall is difficult to configuration,deal packet with great delay, it becomes bottleneck between the internal and external network easily.Therefore, the current state inspection of tecnology as the most extensive study of firewall technology, inspection of each packet is not only according to the rules of table, consider the use of state table tracking the status of each network session, opening and closing ports dynamic, and to the session overtime restrictions, be able to improve efficiency of firewall filtering safety.Linux as a prompt development OS is easy to manage and maintence, free to be put into use , having advantage in the field of the systematic stability, robustness and the cheap price.With the wide application of Linux server, the security becomes more important.The filewall which brings up by the article aims at protect the safety of Linux server,after researching the kernel of Linux.Firstly, the paper brings forward the state inspection principle in kernel and user space implement method in Linux, improve the tradition packet filtering by the connect tracking technology in Netfilter.Secondly,with the consider of aspects such as firewall policy,total design idea , detail design idea and iptables user space implement, brings forward a all-sided firewall design project.Based on it , it implementated the state inspection module which was fit on Linux server such as FTP , DNS , SSH , Web, accomplished prompt analysis of data flow state, improve efficiency of firewall fliteration, have realized a safer and reliabler and high-speed effective state inspection firewall in Linux, and by testing in applying to reality verified its validity and reliability , provide effect for further development of the Linux firewall technology.