CN104735093A - Network terminal, IP (internet protocol) port filtering system and IP port filtering method - Google Patents
Network terminal, IP (internet protocol) port filtering system and IP port filtering method Download PDFInfo
- Publication number
- CN104735093A CN104735093A CN201510192659.6A CN201510192659A CN104735093A CN 104735093 A CN104735093 A CN 104735093A CN 201510192659 A CN201510192659 A CN 201510192659A CN 104735093 A CN104735093 A CN 104735093A
- Authority
- CN
- China
- Prior art keywords
- white list
- filtering rule
- rule
- network firewall
- drop
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an IP (internet protocol) port filtering method. The IP port filtering method includes: a drop all rule is not added when a new white list filter rule is started under one of the conditions that an action range of a blacklist filter rule is defined on the uplink of an IP port, an action range of the white list filter rule is defined on the downlink of the IP port, and no white list filter rule exists in a network firewall; the drop all rule is added when the new white list filter rule is started under the condition that the white list filter rule already exists in the network firewall; the drop all rule is deleted under the condition that only the drop all rule exists in the network firewall when the white list filter rule in the network firewall is deleted. By definition of an uplink blacklist filter mechanism, a downlink white list filter mechanism and a port filter mechanism with a blacklist and a white list in coexistence and joint effects, rule production conditions in the white list are adjusted to meet more complex and more flexible IP port filtering functions.
Description
Technical field
The present invention discloses a kind of wireless channel adaptive technology, is specifically related to a kind of small home wireless gateway device and IP ports filter system thereof and IP ports filter method.
Background technology
Ports filter function refers to and uses IP address filter to refuse data on specific IP address access the Internet or information.Namely can refuse specific port, also can filter all of the port of specific IP address simultaneously.
Router examines packet one by one to judge whether it matches with other packet filtering rules.Eachly be surrounded by two parts: data division and packet header.Based on the header packet information of filtering rule for IP direct motion process, ignore the text message content in bag.Header packet information comprises: IP source address, IP destination address, tunneling (TCP, UDP or IP Tunnel), TCP/UDP source port, ICMP Packet type, packet input interface and bag output interface.If find a coupling, and rule allows this bag, and this Bao Ze moves ahead according to the information in routing table.If find a coupling, and this bag of rule refusal, this Bao Ze is rejected.If without matched rule, this bag of decision moves ahead or is rejected by a user configured default parameter.
Packet filtering rules allows the information flow of Router choice based on a special service, because most of service detectors resides at well-known TCP/UDP port.Such as, Telnet Service is the long-range connection of TCP port 23 port waits, and SMTP Service is TCP Port 25 port waits input connection.As blocked the connection of input Telnet, SMTP, then Router gives up all packets that port value is 23,25.
The mode that IP ports filter function in the family gateway equipment of prior art mainly adds white list or blacklist by network firewall IP tables realizes, and the major defect caused is as follows: 1) blacklist and white list individually work; 2) network data is not divided to the control of up-downlink direction; 3) black and white lists cannot work simultaneously; 4) ports filter function cannot meet comparatively complicated application scenarios.
Summary of the invention
The invention provides a kind of network terminal and IP ports filter system thereof and IP ports filter method, on the basis supporting separately blacklist, white list mechanism, realize blacklist, white list and come into force simultaneously and be independent of each other.
For achieving the above object, the invention provides a kind of IP ports filter method, be characterized in, this filter method comprises:
When in network firewall without white list filtering rule, then when opening new white list filtering rule, do not add drop all rule;
When white list filtering rule existing in network firewall, then when opening new white list filtering rule, add drop all rules;
After deleting any amount bar white list filtering rule in network firewall, if only there are drop all rules in network firewall, then delete drop all rules in the lump.
Above-mentioned filter method also comprises: the sphere of action of blacklist filtering rule is defined in the up of IP port.
Above-mentioned filter method also comprises: the sphere of action of white list filtering rule is defined in the descending of IP port.
After above-mentioned network firewall deletes any amount bar white list filtering rule, there is white list filtering rule if also retain in network firewall, then do not delete drop all rules.
After above-mentioned network firewall adds new blacklist filtering rule, this blacklist filtering rule only screens the packet that lan side is sent to wan side and filters.
After above-mentioned network firewall adds new white list filtering rule, this white list filtering rule only screens the packet that wan side is sent to lan side and filters.
A kind of IP ports filter system, be characterized in, this IP ports filter system comprises:
Filtering module, it stores and performs up blacklist filtering rule, descending white list filtering rule, and the filtering rule that white list and blacklist come into force simultaneously; The filtering rule that white list and blacklist come into force simultaneously comprises: when in network firewall without white list filtering rule, then when opening new white list filtering rule, do not add drop all rule; When white list filtering rule existing in network firewall, then when opening new white list filtering rule, add drop all rules; After deleting any amount bar white list filtering rule in network firewall, if only there are drop all rules in network firewall, then delete drop all rules in the lump;
Lan side link, for communicating to connect filtering module and internal lan;
Wan side link, for communicating to connect filtering module and outer net.
A kind of network terminal, be characterized in, this network terminal includes above-mentioned IP ports filter system.
The above-mentioned network terminal is wired or wireless gateway router.
The network terminal of the present invention and IP ports filter system thereof are compared with the IP ports filter technology of prior art with IP ports filter method, its advantage is, invention defines up blacklist filtering rule, only the bag of transmission wan side, lan side is screened and filtered, and do not affect wan side be sent to lan side to data, can effectively control upstream data IP communication;
Invention defines descending white list filtering rule, only the bag that wan side is sent to lan side is screened and filtered, and do not affect the IP communication that data that lan side is sent to wan direction effectively can control downlink data;
Present invention improves over the mechanism that comes into force of descending white list, white list and blacklist are come into force simultaneously, and is independent of each other; Make IP ports filter mechanism more flexible;
The invention provides up blacklist filtering rule, descending white list filtering rule, and the filtering rule that white list and blacklist come into force simultaneously, user more complicated and IP ports filter function and realization mechanism flexibly can be supplied to.
Accompanying drawing explanation
Fig. 1 is the method flow diagram of the adding method of white list filtering rule of the present invention;
Fig. 2 is the method flow diagram of the delet method of white list filtering rule of the present invention;
Fig. 3 is the block diagram of a kind of IP ports filter of the present invention system.
Embodiment
Below in conjunction with accompanying drawing, further illustrate specific embodiments of the invention.
The present invention is directed to the weak point of above traditional IP ports filter mechanism, consider when user is under the demand of ports filter comparatively complicated situation, and this function can be realized more flexibly, design and propose a kind of IP ports filter method being applicable to the wired or wireless gateway device of small-sized household, this filter method specifically comprises: define up-downgoing filtering rule respectively; And, improve white list create-rule and white, blacklist is come into force simultaneously.
One, define up-downgoing filtering rule respectively and specifically comprise following two aspects:
1) up blacklist filtering rule is defined: the sphere of action of blacklist filtering rule is defined in the up of IP port.
Concrete, if need the filtering rule adding blacklist, then the moving towards from lan side to the data communication of wan side of this filtering rule restriction.If namely add a filtering rule in blacklist, so corresponding is by lan side data to wan side to carrying out filtering and coming into force, and only screens the bag that lan side sends wan side and filters, and do not affect wan side be sent to lan side to data.
2) descending white list filtering rule is defined: the sphere of action of white list filtering rule is defined in the descending of IP port.
Concrete, if need the filter condition adding white list, then the moving towards from wan side to the data communication of lan side of this filtering rule restriction, if namely add a filtering rule in white list, so corresponding is to lan side to carrying out filtering and coming into force by wan side data, only the bag that wan side is sent to lan side is screened and filtered, and do not affect the data that lan side is sent to wan direction
Two, after having defined the sphere of action of up-downgoing black and white lists, user opens IP ports filter and can filter message according to the filtering rule defined in black and white lists, if but need to be that blacklist and white list come into force simultaneously, must adjust the production rule of white list, because after black and white lists is opened simultaneously, enabling of absolute white list can cause blacklist to lose efficacy, the taking effect rules of black and white lists cannot be made simultaneously, in order to be that the unlatching of white list does not affect blacklist, improve the mechanism that comes into force of white list.
Absolute white list can cause blacklist to come into force after opening, because white list can give tacit consent to the rule of interpolation drop all after unlatching, in order to address this problem, the default rule of white list is adjusted with interpolation deletion action, specifically comprises: the adding method of white list filtering rule and the delet method of white list filtering rule.
As shown in Figure 1, be a kind of embodiment of the adding method of white list filtering rule, this adding method specifically comprises following steps:
Step 1.1, gateway device add new white list filtering rule in network firewall.
Step 1.2, gateway device judge that in its network firewall, whether white list rule is empty, if then jump to step 1.2.1, then jumps to step 1.3 if not.
Without white list filtering rule in step 1.2.1, network firewall, then when opening new white list filtering rule, do not add drop all rules, the interpolation flow process of end white list filtering rule after completing.
Such as: after opening white list first under default situations, if do not have other white list rules in network firewall IPtables rule, then give tacit consent to and do not add drop all rules, now the filtering rule of blacklist also can come into force and work.
Existing white list filtering rule in step 1.3, network firewall, then, when opening new white list filtering rule, add drop all rules, the interpolation flow process of end white list filtering rule after completing.
Specific instructions is: " CMD:IPtables-A IPFLTINFWD-o br0-j DROP ".
As shown in Figure 2, be a kind of embodiment of the delet method of white list filtering rule, this delet method specifically comprises following steps:
Step 2.1, gateway device delete any amount bar white list filtering rule in network firewall.
After step 2.2, gateway device judge to delete white list filtering rule in its network firewall, whether only there are drop all rules, if then jump to step 2.2.1; Then jump to step 2.3 if not.
After step 2.2.1, deletion white list filtering rule, drop all rules are deleted in the lump, the deletion flow process of end white list filtering rule after completing.
Specific instructions is; " CMD:IPtables-D IPFLTINFWD-o br0-j DROP ".
After step 2.3, network firewall delete any amount bar white list filtering rule, also retain in network firewall and have white list filtering rule, then do not delete drop all rules, only delete the white list filtering rule of current operation.
As shown in Figure 3, the invention also discloses a kind of IP ports filter system, this IP ports filter system comprises: filtering module 301, lan side link 302, wan side link 303.
Above-mentioned IP ports filter rule is provided with in filtering module 301, comprise up blacklist strobe utility, descending white list strobe utility, black and white lists exists simultaneously and the ports filter jointly come into force is machine-processed, by the regular working condition in adjustment white list, meet more complicated, IP ports filter function more flexibly.
Filtering module 301 communicates to connect internal lan by lan side link 302.
Filtering module 301 communicates to connect outer net by wan side link 303.
The invention also discloses a kind of network terminal, this network terminal includes above-mentioned IP ports filter system.This network terminal is wired or wireless gateway router.
Although content of the present invention has done detailed introduction by above preferred embodiment, will be appreciated that above-mentioned description should not be considered to limitation of the present invention.After those skilled in the art have read foregoing, for multiple amendment of the present invention and substitute will be all apparent.Therefore, protection scope of the present invention should be limited to the appended claims.
Claims (9)
1. an IP ports filter method, is characterized in that, this filter method comprises:
When in network firewall without white list filtering rule, then when opening new white list filtering rule, do not add drop all rule;
When white list filtering rule existing in network firewall, then when opening new white list filtering rule, add drop all rules;
After deleting any amount bar white list filtering rule in network firewall, if only there are drop all rules in network firewall, then delete drop all rules in the lump.
2. IP ports filter method as claimed in claim 1, it is characterized in that, this filter method also comprises: the sphere of action of blacklist filtering rule is defined in the up of IP port.
3. IP ports filter method as claimed in claim 1, it is characterized in that, this filter method also comprises: the sphere of action of white list filtering rule is defined in the descending of IP port.
4. IP ports filter method as claimed in claim 1, is characterized in that, after described network firewall deletes any amount bar white list filtering rule, has white list filtering rule, then do not delete drop all rules if also retain in network firewall.
5. IP ports filter method as claimed in claim 2, it is characterized in that, after described network firewall adds new blacklist filtering rule, this blacklist filtering rule only screens the packet that lan side is sent to wan side and filters.
6. IP ports filter method as claimed in claim 3, it is characterized in that, after described network firewall adds new white list filtering rule, this white list filtering rule only screens the packet that wan side is sent to lan side and filters.
7. an IP ports filter system, is characterized in that, this IP ports filter system comprises:
Filtering module, it stores and performs up blacklist filtering rule, descending white list filtering rule, and the filtering rule that white list and blacklist come into force simultaneously; The filtering rule that white list and blacklist come into force simultaneously comprises: when in network firewall without white list filtering rule, then when opening new white list filtering rule, do not add drop all rule; When white list filtering rule existing in network firewall, then when opening new white list filtering rule, add drop all rules; After deleting any amount bar white list filtering rule in network firewall, if only there are drop all rules in network firewall, then delete drop all rules in the lump;
Lan side link, for communicating to connect filtering module and internal lan;
Wan side link, for communicating to connect filtering module and outer net.
8. a network terminal, is characterized in that, the described network terminal includes IP ports filter system as claimed in claim 7.
9. the network terminal as claimed in claim 8, it is characterized in that, the described network terminal is wired or wireless gateway router.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510192659.6A CN104735093A (en) | 2015-04-22 | 2015-04-22 | Network terminal, IP (internet protocol) port filtering system and IP port filtering method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510192659.6A CN104735093A (en) | 2015-04-22 | 2015-04-22 | Network terminal, IP (internet protocol) port filtering system and IP port filtering method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104735093A true CN104735093A (en) | 2015-06-24 |
Family
ID=53458527
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510192659.6A Pending CN104735093A (en) | 2015-04-22 | 2015-04-22 | Network terminal, IP (internet protocol) port filtering system and IP port filtering method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104735093A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019070216A3 (en) * | 2017-10-05 | 2019-08-08 | Icterra Bi̇lgi̇ Ve İleti̇şi̇m Teknoloji̇leri̇ Sanayi̇ Ve Ti̇caret Anoni̇m Şi̇rketi̇ | Firewall effectiveness measurement with multi-port intrusion detection system |
| CN111147422A (en) * | 2018-11-02 | 2020-05-12 | 华为技术有限公司 | Method and device for controlling connection between terminal and network |
| CN114245382A (en) * | 2021-11-19 | 2022-03-25 | 深圳市伟文无线通讯技术有限公司 | Method and system for safely accessing strange wifi through mobile router |
| CN114553448A (en) * | 2020-11-18 | 2022-05-27 | 上海汽车集团股份有限公司 | Vehicle-mounted network information safety system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101087259A (en) * | 2006-06-07 | 2007-12-12 | 深圳市都护网络科技有限公司 | A system for filtering spam in Internet and its implementation method |
| CN101631108A (en) * | 2008-07-16 | 2010-01-20 | 国际商业机器公司 | Method and system for generating regular file for firewall of network server |
| CN103825900A (en) * | 2014-02-28 | 2014-05-28 | 广州云宏信息科技有限公司 | Website access method and device and filter form downloading and updating method and system |
-
2015
- 2015-04-22 CN CN201510192659.6A patent/CN104735093A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101087259A (en) * | 2006-06-07 | 2007-12-12 | 深圳市都护网络科技有限公司 | A system for filtering spam in Internet and its implementation method |
| CN101631108A (en) * | 2008-07-16 | 2010-01-20 | 国际商业机器公司 | Method and system for generating regular file for firewall of network server |
| CN103825900A (en) * | 2014-02-28 | 2014-05-28 | 广州云宏信息科技有限公司 | Website access method and device and filter form downloading and updating method and system |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019070216A3 (en) * | 2017-10-05 | 2019-08-08 | Icterra Bi̇lgi̇ Ve İleti̇şi̇m Teknoloji̇leri̇ Sanayi̇ Ve Ti̇caret Anoni̇m Şi̇rketi̇ | Firewall effectiveness measurement with multi-port intrusion detection system |
| CN111147422A (en) * | 2018-11-02 | 2020-05-12 | 华为技术有限公司 | Method and device for controlling connection between terminal and network |
| CN111147422B (en) * | 2018-11-02 | 2021-08-13 | 华为技术有限公司 | Method and device for controlling connection between terminal and network |
| US11895533B2 (en) | 2018-11-02 | 2024-02-06 | Huawei Technologies Co., Ltd. | Method for controlling connection between terminal and network, and related apparatus |
| CN114553448A (en) * | 2020-11-18 | 2022-05-27 | 上海汽车集团股份有限公司 | Vehicle-mounted network information safety system |
| CN114553448B (en) * | 2020-11-18 | 2024-05-17 | 上海汽车集团股份有限公司 | Vehicle-mounted network information security system |
| CN114245382A (en) * | 2021-11-19 | 2022-03-25 | 深圳市伟文无线通讯技术有限公司 | Method and system for safely accessing strange wifi through mobile router |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8339959B1 (en) | Streamlined packet forwarding using dynamic filters for routing and security in a shared forwarding plane | |
| US7721084B2 (en) | Firewall for filtering tunneled data packets | |
| KR101419797B1 (en) | Routing and quality decision in mobile ip networks | |
| CN104735093A (en) | Network terminal, IP (internet protocol) port filtering system and IP port filtering method | |
| US20050249194A1 (en) | System and method for enabling mobile edge services | |
| US10887797B2 (en) | Traffic splitter for user plane in mobile networks | |
| US7545780B2 (en) | Flow-based selective reverse tunneling in wireless local area network (WLAN)-cellular systems | |
| CN104869065A (en) | Method and device for processing data message | |
| EP2541854A1 (en) | Hybrid port range encoding | |
| WO2010054471A8 (en) | Method and apparatus for network port and network address translation | |
| CN102711181B (en) | A kind of mobile terminal utilizes multilink to realize the method for network shunt | |
| CN110545239B (en) | Wireless mesh network wide area networking method | |
| US8792345B2 (en) | Method and apparatus for providing access to public packet networks from a local environment | |
| CN106028359A (en) | LTE base station return system based on CPE terminals | |
| US8289860B2 (en) | Application monitor apparatus | |
| CN105991555A (en) | 6LoWPAN-based network connection method and system | |
| Sule et al. | Architectural shift from 4G to 5G wireless mobile networks | |
| CN102413124A (en) | Method for realizing strengthening of demilitarized zone (DMZ) of network | |
| CN109088953B (en) | Method and device for Linux gateway proxy to convert IP | |
| CN100370782C (en) | An implementing method for switching ZONET in IPv6 network | |
| CN102595552B (en) | Packet radio network on-demand routing maintenance method based on adaptive dynamic mechanism | |
| CN105722145B (en) | Data communications method and base station based on S1 interface | |
| US20110149734A1 (en) | Smart border router and method for transmitting flow using the same | |
| CN108092900A (en) | A kind of multiport router | |
| Deshmukh-Bhosale et al. | Implementation of 6LoWPAN Border Router (6BR) in Internet of Things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150624 |