The basic concept

What is iptables?

The following explanation can be found on netfilter’s website:

Iptables is the Userspace Command line program used to configure the Linux 2.4.x and later Packet filtering ruleset. It is targeted towards system administrators.

Since Network Address Translation is also configured from the packet filter ruleset, iptables is used for this, too.

The iptables package also includes ip6tables. ip6tables is used for configuring the IPv6 packet filter.

  • Iptables is a user-space command line program for configuring Linux 2.4.x and later packet-filtering rule sets. It is aimed at system administrators.
  • Since network address translation (NAT) is also configured from the packet filtering rule set, Iptables is also used for this.
  • The iptables package also includes ip6tables. Ip6tables is used to configure IPv6 packet filters.

The iptables source address: git.netfilter.org/iptables

What is Netfilter?

From Wikipedia:

Netfilter, a software framework in the Linux kernel for managing network packets. It not only supports network address translation (NAT), but also provides firewall functions such as packet content modification and packet filtering. Using user-space application software, such as iptables, NFtables, ebtables and arptables, to control NetFilter, system administrators can manage various network packets through the Linux operating system. In the 1990s, Netfilter was introduced into the Linux kernel in Linux 2.3.15 and was formally applied in Linux 2.4.

The main functions of NetFilter include:

  • Network Address Translate
  • Packet Content modification
  • And firewall capabilities for packet filtering

The vast majority of Functions of Linux are expanded in the form of modules, and Netfilter also exists in Linux in the form of modules. When Linux has a Netfilter module, Linux firewall functions also have one more item.

Netfilter itself does not filter packets, it simply allows the functions for the filtered packets to be hung to the appropriate locations in the kernel. The NetFilter project also provides infrastructure in the kernel, such as link tracing and logging, that can be used by any Iptables policy to perform specific packet processing.

Directory for storing the Netfilter module:

  • /lib/modules/<uname -r>/kernel/net/ipv4/netfilter/

  • /lib/modules/<uname -r>/kernel/net/ipv6/netfilter/

Not only netfilter has modules, but iptables also has modules. These modules are located in the /lib64/xtables/ directory. The iptables module starts with libxt. These modules correspond to the NetFilter module one by one. For example, /lib/modules/

/kernel/net/netfilter/xt_conntrack.ko corresponds to /lib64/xtables/libxt_conntrack.so. When a command related to xt_conntrack.ko is issued, iptables checks for syntax based on the libxt_conntrack.so module. The corresponding netfilter module is loaded into the system memory, and iptables finally writes the rules to the rule database.

What is the relationship between NetFilter and iptables?

In many cases, iptabes is used to configure firewall rules, but iptables is not really a firewall. We can think of it as a client proxy that implements user security Settings into the corresponding “security framework”. This “security framework” is the real firewall, and its name is NetFilter

  • Netfilter is the real firewall security framework (framework), NetFilter is located in kernel space.

  • Iptables is actually a command-line tool in user space that we use to manipulate the real framework.

Iptables basic concepts

chain

Iptables in common application scenario is used as a firewall configuration, if we want to be a firewall can achieve the goal of “fire”, you will need to set up checkpoints in the kernel, all in and out of the message to go through these levels, after checking, can meet the requirements for the release of release, conform to the blocking conditions need to be stopped, so, There are input levels and output levels, but there may not be just one rule on the level, but many rules, and when we connect these rules to a chain, we form a “chain”.

Summarize the following 5 chains:

  • PREROUTING packets just enter the network layer before routing
  • INPUT Determines the route to the user space
  • OUTPUT Indicates the network interface that sends the user space and is followed by the route judgment egress
  • The FORWARD route does not enter the user space and forwards only
  • The POSTROUTING packet is sent out through the network interface

Packets may go through different chains according to actual conditions. If a packet needs to be forwarded, the packet will not go through the input chain to the user space, but will be forwarded directly through the forward chain and postrouting chain in the kernel space.

Therefore, according to the figure above, we can imagine the direction of packets in some common scenarios:

  • Packets sent to a process on the local machine: PREROUTING – > INPUT

  • Packets forwarded by the local machine are PREROUTING – > FORWARD – > POSTROUTING

  • A process on the host sends a packet (usually a response packet) : OUTPUT – > POSTROUTING

For each message passing through this “level”, all rules on the “chain” are matched. If there is a rule that meets the conditions, the corresponding action of the rule is executed.

table

Why are they called IP “tables”? This is because there are multiple tables in the firewall software, each table defines its own default policies and rules, and each table has a different purpose. Each “table” refers to a different type of packet processing flow.

Linux iptables has at least three tables by default.

Chain relationship

A list of rules is placed on each chain, but some of these rules are similar. For example, Type A rules filter IP addresses or ports, and Type B rules modify packets. Can we put together rules that do the same thing? Yes, we put the rules with the same function into a set, that is, the above mentioned “table”.

Iptables provides us with the following classification of rules, or rather, iptables provides us with the following “tables”

  • Filter table: responsible for filtering function, firewall; Kernel module: iptables_filter

  • NAT table: Network address translation, network address translation Kernel module: IPtable_nat

  • Mangle table: disassemble the message, modify it, and repackage it. iptable_mangle

  • Raw table: Disables the connection tracing mechanism enabled on the NAT table. iptable_raw

All the rules we customize are rules in these four categories, or all the rules exist in these four “tables”

To be specific:

chain table
Rules for PREROUTING can exist in Raw table, Mangle table, NAT table
INPUT rules can exist in Mangle table, filter table, centos7, centos6, NAT table
Rules for FORWARD can exist in Mangle table, filter table
The OUTPUT rule can exist in Raw table Mangle table NAT table filter table
The rules for POSTROUTING can exist in Mangle table, NAT table.

In practice, rules are defined through tables. The reason for introducing iptables above is that it is easier to understand them from a level perspective, but in order to understand them more easily when you use them in practice, Here we will also list the relationship between each “table” and “chain” :

Table (function) Chain (hook) :
raw Which chains can use the rules in the table: PREROUTING, OUTPUT
mangle Which chains can use the rules in the table: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING
nat Which chains can use the rules in the table: PREROUTING, OUTPUT, POSTROUTING (INPUT in centos7, not in Centos6)
filter Which chains can use the rules in the table: INPUT, FORWARD, OUTPUT

priority

When packets pass through a “chain”, all the rules of the current chain will be matched, but there is always a sequence when matching, we should match one by one, and the rules of the same function type will be aggregated in a “table”, which rules in the “table” will be executed in the first “chain”? This is where priorities come in

Priority order (from highest to lowest) :

Raw – > mangle – > NAT – > Filter

The flow of data through the firewall

The rules

Rule: The device tries to match each packet that passes through the device according to the specified matching conditions. Once the packet is successfully matched, the processing action specified after the rule is processed.

Rules consist of matching conditions and processing actions.

Matching conditions

Matching conditions are divided into basic matching conditions and extended matching conditions

  • Basic matching conditions:

Source IP address Source IP address Destination IP Address The preceding information can be used as the basic matching conditions.

  • Extended matching conditions:

In addition to the above conditions, there are many other conditions that can be used for matching. These conditions are generally called extension conditions. These extension conditions are actually part of NetFilter, but exist in the form of modules. The Source Port Source Port and Destination Port can be used as extended matching conditions

Processing action

Processing actions are called targets in Iptables (inaccurately, we’ll call them that for now), and actions can be divided into basic and extended actions. Here are some common actions that will be detailed and summarized in future articles:

  • ACCEPT: allows the packet to pass.
  • DROP: The client immediately discards the data packet without sending any response message. In this case, the client feels that its request has reached the bottom and responds to the request only after the timeout period.
  • REJECT: The system sends a response message to the data sender when necessary. The client receives a REJECT message as soon as the request is made.
  • SNAT: source ADDRESS translation, which enables Intranet users to access the Internet using the same public IP address.
  • MASQUERADE: a special form of SNAT for dynamic, transient IP addresses.
  • DNAT: destination address translation.
  • REDIRECT: Perform port mapping on the local PC.
  • LOG: Logs the messages file in /var/log/messages and passes the packet to the next rule. That is, nothing is done with the packet except to LOG it and the next rule still matches it.

The difference between DROP and REJECT is as follows: DROP discards the matched packet. REJECT discards the packet and sends an ICMP packet to the source IP address of the packet, indicating that the destination is unreachable. The sender of the former packet can only wait for the timeout, while the sender of the latter receives an ICMP unreachable message immediately.

reference

  • www.zsythink.net/archives/11…
  • Borosan. Gitbook. IO/lpic2 – exam -…
  • Cn.linux.vbird.org/linux_serve…
  • www.xiebruce.top/1071.html
  • Kuring. Me/post/iptabl…