Penguin
Blame: IptablesNotes
EditPageHistoryDiffInfoLikePages
Annotated edit history of IptablesNotes version 6, including all changes. View license author blame.
Rev Author # Line
1 MichaelBordignon 1 Miscellaneous notes on IPTables.
2
3 * iptables v1.2.6a (debian stable) doesn't seem to function correctly with kernel v2.4.24 if you're using the -m owner module. I used a backport from www.backports.org (http://www.backports.org/debian/dists/stable/iptables/) version 1.2.9 which seems to work fine.
2 CriggieCriggie 4
4 JohnMcPherson 5 * the "MAC" listed when logging packets is the full [MAC] header, with the two [MAC] addresses and the [Protocol] (which explains their length).
5 ChrisLowth 6
7 * Some notes on some of the less well-known features of iptables: [The Hidden Treasures of Iptables|http://www.lowth.com/howto/iptables-treasures.php]
2 CriggieCriggie 8
6 JimCheetham 9 ----
10
11
12 I've seen iptables described in a number of different manners, but none of them quite manage to encapsulate all of the aspects in one go, so I often end up drawing a diagram on paper based on the three main different use-cases. These are :-
13 * IP packet coming from the network for a local process
14 * Local process sending an IP packet out to the network
15 * IP packet being routed through the machine
16
17 !! Types of rule
18 There are three different _types_ of rule. These are the "tables" in the name iptables :-
19 # filter - the normal "security" oriented rules, most commonly used to ACCEPT or DENY connections.
20 # nat - these rewrite the source or destination IP addresses, and are most often used when your machine is a router for a small network.
21 # mangle - these try to alter the headers of the packet, and are very rarely used. Really, don't bother with them :-)
22
23 There are five different positions that these rule types can be found in :-
24 # as soon as a packet arrives from the network (PREROUTING)
25 # just before a packet is INPUT to a local process
26 # just after it has been OUTPUT from one
27 # when a packet is being FORWARDed to another machine
28 # just before a packet is sent to the network (POSTROUTING)
29
30 The positions are called "chains":
31
32 <?plugin OldStyleTable
33 | *table* | *chains*
34 | =filter= | =INPUT FORWARD OUTPUT=
35 | =nat= | =PREROUTING POSTROUTING OUTPUT=
36 | =mangle= | =PREROUTING INPUT FORWARD OUTPUT POSTROUTING=
37 ?>
38
39 A chain is a list of rules. Each rule has a _condition_ and an _action_:
40
41 <?plugin OldStyleTable caption="a rule in a chain"
42 | _condition_ | _action_
43 ?>
44
45 When a packet enters a chain, it is tested against each rule in turn. The _action_ of a rule is carried out if the _condition_ is met. Some actions cause the packet to leave the chain immediately, skipping untested rules. The actions are called TARGETS. Some popular targets are:
46
47 * ACCEPT
48 * DROP
49 * LOG
50 * MASQUERADE
51
52 When you configure your firewall, _you_ build this list of rules using the =iptables= tool.
53
54 !! Use-cases
55
56 ! Receiving a packet
57 * The network
58 * PREROUTING:mangle
59 * PREROUTING:nat
60 * INPUT:mangle
61 * INPUT:filter
62 * A local process
63
64 ! Sending a packet
65 * A local process sends a packet to the network
66 * OUTPUT:mangle
67 * OUTPUT:nat
68 * OUTPUT:filter
69 * POSTROUTING:mangle
70 * POSTROUTING:nat
71 * The network
72
73 ! Routing a packet
74 * The network
75 * PREROUTING:mangle
76 * PREROUTING:nat
77 * FORWARD:mangle
78 * FORWARD:filter
79 * POSTROUTING:mangle
80 * POSTROUTING:nat
81 * The network
82
83 The state diagram looks like this (using the GraphViz plugin) :-
84
85 <?plugin GraphViz
86 digraph g {
87 label="iptables rule traversal";
88 rankdir=LR;
89
90 route [shape=diamond, label="Routing"];
91
92 PRE [shape=box, label="mangle -> nat\\nPREROUTING"]
93 FORW [shape=box, label="mangle -> filter\\nFORWARD"]
94 POST [shape=box, label="mangle -> nat\\nPOSTROUTING"]
95 INPUT [shape=box, label="mangle -> filter\\nINPUT"]
96 OUTPUT [shape=box, label="mangle -> nat -> filter\\nOUTPUT"]
97
98 local [label="local process"]
99 netIN [label="network: input"]
100 netOUT [label="network: output"]
101
102 // Use cases
103 netIN -> PRE -> route [color=red]
104 netIN -> PRE -> route -> FORW -> POST -> netOUT [color=green]
105 route -> INPUT -> local [color=red]
106 local -> OUTPUT -> POST -> netOUT [color=blue]
107
108
109 use [label="Use Cases"]
110 routing [label="Routing a packet"]
111 receive [label="Receiving a packet"]
112 send [label="Sending a packet"]
113 use -> routing [color=green]
114 use -> receive [color=red]
115 use -> send [color=blue]
116 }
117 ?>
118
119 ----
2 CriggieCriggie 120 IsomerMadeMeDoThis

PHP Warning

lib/blame.php:177: Warning: Invalid argument supplied for foreach()