Miscellaneous notes on IPTables.

• iptables v1.2.6a (debian stable) doesn't seem to function correctly with kernel v2.4.24 if you're using the -m owner module. I used a backport from www.backports.org (http://www.backports.org/debian/dists/stable/iptables/) version 1.2.9 which seems to work fine.
• the "MAC" listed when logging packets is the full MAC header, with the two MAC addresses and the Protocol (which explains their length).
• Some notes on some of the less well-known features of iptables: The Hidden Treasures of Iptables

I've seen iptables described in a number of different manners, but none of them quite manage to encapsulate all of the aspects in one go, so I often end up drawing a diagram on paper based on the three main different use-cases. These are :-

• IP packet coming from the network for a local process
• Local process sending an IP packet out to the network
• IP packet being routed through the machine

Types of rule

There are three different types of rule. These are the "tables" in the name iptables :-

1. filter - the normal "security" oriented rules, most commonly used to ACCEPT or DENY connections.
2. nat - these rewrite the source or destination IP addresses, and are most often used when your machine is a router for a small network.
3. mangle - these try to alter the headers of the packet, and are very rarely used. Really, don't bother with them :-)

There are five different positions that these rule types can be found in :-

1. as soon as a packet arrives from the network (PREROUTING)
2. just before a packet is INPUT to a local process
3. just after it has been OUTPUT from one
4. when a packet is being FORWARDed to another machine
5. just before a packet is sent to the network (POSTROUTING)

The positions are called "chains":

A chain is a list of rules. Each rule has a condition and an action:

When a packet enters a chain, it is tested against each rule in turn. The action of a rule is carried out if the condition is met. Some actions cause the packet to leave the chain immediately, skipping untested rules. The actions are called TARGETS. Some popular targets are:

• ACCEPT
• DROP
• LOG
• MASQUERADE

When you configure your firewall, you build this list of rules using the iptables tool.

Use-cases

Receiving a packet

• The network
• PREROUTING:mangle
• PREROUTING:nat
• INPUT:mangle
• INPUT:filter
• A local process

Sending a packet

• A local process sends a packet to the network
• OUTPUT:mangle
• OUTPUT:nat
• OUTPUT:filter
• POSTROUTING:mangle
• POSTROUTING:nat
• The network

Routing a packet

• The network
• PREROUTING:mangle
• PREROUTING:nat
• FORWARD:mangle
• FORWARD:filter
• POSTROUTING:mangle
• POSTROUTING:nat
• The network

The state diagram looks like this (using the GraphViz? plugin) :-

IsomerMadeMeDoThis