iptables 101
Intro
Netfilter is the system compiled into the kernel which provides hooks into the IP stack which loadable modules can use to perform operations on packets. The actual Netfilter implementation is broken into two parts, the kernel portion known as Netfilter and the userland tool that interfaces with Netfilter and creates the rulesets, iptables.
Concepts
Tables
A table is basically a collection of chains. There are 3 tables of concern: filter, nat and mangle. All tables have the opportunity to handle a packet (via their chains) going through the firewall, each at a different stage. See the 3rd video in the "Mastering IPTables" series below for details about the way a packet traverses the different tables and chains.
Chains
A chain is a list of rules, which is evaluated from top to bottom. Users can define chains of their own and add a rule to a default chain that says "branch off to my custom chain and go through its rules, before going any further".
Packets traversing the filter table will pass through only one of its default chains:
* The INPUT chain will only be traversed if the packet's destination is the local system.
* The FORWARD chain will only be traversed if the packet is passing through the local system and bound for another system.
* The OUTPUT chain is traversed only by packets originating on the local system with an external destination.
Rules
A rule is a single instruction that says "if the packet has these specific characteristics, then do the following with it". The second part of the instruction is called the rule's target. Such a target can be terminating (e.g. ACCEPT, DROP, REJECT, REDIRECT) or non-terminating (e.g. LOG). When a packet encounters a terminating rule, all further rules in the same table (and possibly also in the other tables) will be ignored.
Note that Netfilter has four built-in targets: ACCEPT, DROP, QUEUE and RETURN. The REJECT target is an extension to DROP, which will do some logging before dropping the packet.
Each of the default chains also has a policy, which will be applied if the chain (or a branched off chain) doesn't contain a terminating rule that matches. E.g. the default filter tables can have a policy of ACCEPT or DROP; if the packet traverses all rules in the chain without being terminated (accepted or dropped/rejected), the policy will decide its fate.
Resources
To get up to speed with iptables, you can..
Transcript: http://dark-code.bulix.org/z5svtd-68680
Transcript: http://dark-code.bulix.org/1hbuwh-68681
Transcript: http://dark-code.bulix.org/fl04jo-68849
Finally, an exercise:
Netfilter is the system compiled into the kernel which provides hooks into the IP stack which loadable modules can use to perform operations on packets. The actual Netfilter implementation is broken into two parts, the kernel portion known as Netfilter and the userland tool that interfaces with Netfilter and creates the rulesets, iptables.
Concepts
Tables
A table is basically a collection of chains. There are 3 tables of concern: filter, nat and mangle. All tables have the opportunity to handle a packet (via their chains) going through the firewall, each at a different stage. See the 3rd video in the "Mastering IPTables" series below for details about the way a packet traverses the different tables and chains.
- The nat table performs network address translation. Built-in chains for nat are PREROUTING, POSTROUTING and OUTPUT.
- The mangle table is used to change packet properties. It has the same 3 built-in chains as the nat table.
- The filter table is used to filter packets (= accept or drop them) and has the built-in chains INPUT, FORWARD and OUTPUT
Chains
A chain is a list of rules, which is evaluated from top to bottom. Users can define chains of their own and add a rule to a default chain that says "branch off to my custom chain and go through its rules, before going any further".
Packets traversing the filter table will pass through only one of its default chains:
* The INPUT chain will only be traversed if the packet's destination is the local system.
* The FORWARD chain will only be traversed if the packet is passing through the local system and bound for another system.
* The OUTPUT chain is traversed only by packets originating on the local system with an external destination.
Rules
A rule is a single instruction that says "if the packet has these specific characteristics, then do the following with it". The second part of the instruction is called the rule's target. Such a target can be terminating (e.g. ACCEPT, DROP, REJECT, REDIRECT) or non-terminating (e.g. LOG). When a packet encounters a terminating rule, all further rules in the same table (and possibly also in the other tables) will be ignored.
Note that Netfilter has four built-in targets: ACCEPT, DROP, QUEUE and RETURN. The REJECT target is an extension to DROP, which will do some logging before dropping the packet.
Each of the default chains also has a policy, which will be applied if the chain (or a branched off chain) doesn't contain a terminating rule that matches. E.g. the default filter tables can have a policy of ACCEPT or DROP; if the packet traverses all rules in the chain without being terminated (accepted or dropped/rejected), the policy will decide its fate.
Resources
To get up to speed with iptables, you can..
- Get to know more about packet filtering
- Read iptables docs and some of the tutorials: 1, 2, 3, 4 and 5 (pdf).
- Take a look at the iptables book
- Study the manpage for iptables cmds
- Watch the videos below
Transcript: http://dark-code.bulix.org/z5svtd-68680
Transcript: http://dark-code.bulix.org/1hbuwh-68681
Transcript: http://dark-code.bulix.org/fl04jo-68849
Finally, an exercise:
Comments