This document contains a few terms that may need more detailed
explanations before you read them. This section will try to cover the most
obvious ones and how I have chosen to use them within this document.
Connection - This is generally referred to in this document as a series of
packets relating to each other. These packets refer to each other as an
established kind of connection. A connection is in another word a series of
exchanged packets. In TCP, this mainly means establishing a connection via the
3-way handshake, and then this is considered a connection until the release
handshake.
DNAT - Destination Network Address Translation. DNAT refers to the technique
of translating the Destination IP address of a packet, or to change it simply
put. This is used together with SNAT to allow several hosts to share a single
Internet routable IP address, and to still provide Server Services. This is
normally done by assigning different ports with an Internet routable IP address,
and then tell the Linux router where to send the traffic.
Kernel space - This is more or less the opposite of User space. This implies
the actions that take place within the kernel, and not outside of the kernel.
Stream - This term refers to a connection that sends and receives packets
that are related to each other in some fashion. Basically, I have used this
term for any kind of connection that sends two or more packets in both
directions. In TCP this may mean a connection that sends a SYN and then
replies with an SYN/ACK, but it may also mean a connection that sends a
SYN and then replies with an ICMP Host unreachable. In other words, I use
this term very loosely.
SNAT - Source Network Address Translation. This refers to the techniques used
to translate one source address to another in a packet. This is used to make
it possible for several hosts to share a single Internet routable IP address,
since there is currently a shortage of available IP addresses in IPv4 (IPv6
will solve this).
State - This term refers to which state the packet is in, either
according to RFC 793 - Transmission Control Protocol or
according to userside states used in Netfilter/iptables. Note that the used
states internally, and externally, do not fully follow the RFC 793
specification fully. The main reason is that Netfilter has to make several
assumptions about the connections and packets.
User space - With this term I mean everything and anything that takes place
outside the kernel. For example, invoking iptables -h takes
place outside the kernel, while iptables -A FORWARD -p tcp -j
ACCEPT takes place (partially) within the kernel, since a new rule
is added to the ruleset.
Userland - See User space.
Packet - A singular unit sent over a network, containing a header and a data
portion. For example, an IP packet or an TCP packet. In Request For Comments
(RFC's) a packet isn't so generalized, instead IP packets are called datagrams,
while TCP packets are called segments. I have chosen to call pretty much
everything packets in this document for simplicity.
Segment - A TCP segment is pretty much the same as an packet, but a formalized
word for a TCP packet.