Penguin

Miscellaneous notes on IPTables.


I've seen iptables described in a number of different manners, but none of them quite manage to encapsulate all of the aspects in one go, so I often end up drawing a diagram on paper based on the three main different use-cases. These are :-

  • IP packet coming from the network for a local process
  • Local process sending an IP packet out to the network
  • IP packet being routed through the machine

Types of rule

There are three different types of rule. These are the "tables" in the name iptables :-

  1. filter - the normal "security" oriented rules, most commonly used to ACCEPT or DENY connections.
  2. nat - these rewrite the source or destination IP addresses, and are most often used when your machine is a router for a small network.
  3. mangle - these try to alter the headers of the packet, and are very rarely used. Really, don't bother with them :-)

There are five different positions that these rule types can be found in :-

  1. as soon as a packet arrives from the network (PREROUTING)
  2. just before a packet is INPUT to a local process
  3. just after it has been OUTPUT from one
  4. when a packet is being FORWARDed to another machine
  5. just before a packet is sent to the network (POSTROUTING)

The positions are called "chains":

 table   chains 
 filter   INPUT FORWARD OUTPUT 
 nat   PREROUTING POSTROUTING OUTPUT 
 mangle   PREROUTING INPUT FORWARD OUTPUT POSTROUTING 

A chain is a list of rules. Each rule has a condition and an action:

a rule in a chain
 condition   action 

When a packet enters a chain, it is tested against each rule in turn. The action of a rule is carried out if the condition is met. Some actions cause the packet to leave the chain immediately, skipping untested rules. The actions are called TARGETS. Some popular targets are:

  • ACCEPT
  • DROP
  • LOG
  • MASQUERADE

When you configure your firewall, you build this list of rules using the iptables tool.

Use-cases

Receiving a packet

  • The network
  • PREROUTING:mangle
  • PREROUTING:nat
  • INPUT:mangle
  • INPUT:filter
  • A local process

Sending a packet

  • A local process sends a packet to the network
  • OUTPUT:mangle
  • OUTPUT:nat
  • OUTPUT:filter
  • POSTROUTING:mangle
  • POSTROUTING:nat
  • The network

Routing a packet

  • The network
  • PREROUTING:mangle
  • PREROUTING:nat
  • FORWARD:mangle
  • FORWARD:filter
  • POSTROUTING:mangle
  • POSTROUTING:nat
  • The network

The state diagram looks like this (using the GraphViz? plugin) :-


IsomerMadeMeDoThis

lib/WikiPluginCached.php (In template 'html'):534: Notice: Use of undefined constant IMG_PNG - assumed 'IMG_PNG' (...repeated 4 times)

lib/pear/Cache/Container/file.php (In template 'html'):339: Warning: mkdir(/tmp/cache/imagecache/) [<a href='function.mkdir'>function.mkdir</a>]: Permission denied

lib/WikiPluginCached.php (In template 'html'):535: Notice: Use of undefined constant IMG_GIF - assumed 'IMG_GIF'

lib/WikiPluginCached.php (In template 'html'):536: Notice: Use of undefined constant IMG_JPEG - assumed 'IMG_JPEG'

lib/plugin/GraphViz.php (In template 'html'):234: Warning: fopen() expects parameter 1 to be string, array given

lib/WikiPluginCached.php (In template 'html'):535: Notice: Use of undefined constant IMG_GIF - assumed 'IMG_GIF'

lib/WikiPluginCached.php (In template 'html'):536: Notice: Use of undefined constant IMG_JPEG - assumed 'IMG_JPEG'