| Rev | Author | # | Line |
|---|---|---|---|
| 1 | MichaelBordignon | 1 | Miscellaneous notes on IPTables. |
| 2 | |||
| 3 | * iptables v1.2.6a (debian stable) doesn't seem to function correctly with kernel v2.4.24 if you're using the -m owner module. I used a backport from www.backports.org (http://www.backports.org/debian/dists/stable/iptables/) version 1.2.9 which seems to work fine. | ||
| 2 | CriggieCriggie | 4 | |
| 4 | JohnMcPherson | 5 | * the "MAC" listed when logging packets is the full [MAC] header, with the two [MAC] addresses and the [Protocol] (which explains their length). |
| 5 | ChrisLowth | 6 | |
| 7 | * Some notes on some of the less well-known features of iptables: [The Hidden Treasures of Iptables|http://www.lowth.com/howto/iptables-treasures.php] | ||
| 2 | CriggieCriggie | 8 | |
| 6 | JimCheetham | 9 | ---- |
| 10 | |||
| 11 | |||
| 12 | I've seen iptables described in a number of different manners, but none of them quite manage to encapsulate all of the aspects in one go, so I often end up drawing a diagram on paper based on the three main different use-cases. These are :- | ||
| 13 | * IP packet coming from the network for a local process | ||
| 14 | * Local process sending an IP packet out to the network | ||
| 15 | * IP packet being routed through the machine | ||
| 16 | |||
| 17 | !! Types of rule | ||
| 18 | There are three different _types_ of rule. These are the "tables" in the name iptables :- | ||
| 19 | # filter - the normal "security" oriented rules, most commonly used to ACCEPT or DENY connections. | ||
| 20 | # nat - these rewrite the source or destination IP addresses, and are most often used when your machine is a router for a small network. | ||
| 21 | # mangle - these try to alter the headers of the packet, and are very rarely used. Really, don't bother with them :-) | ||
| 22 | |||
| 23 | There are five different positions that these rule types can be found in :- | ||
| 24 | # as soon as a packet arrives from the network (PREROUTING) | ||
| 25 | # just before a packet is INPUT to a local process | ||
| 26 | # just after it has been OUTPUT from one | ||
| 27 | # when a packet is being FORWARDed to another machine | ||
| 28 | # just before a packet is sent to the network (POSTROUTING) | ||
| 29 | |||
| 30 | The positions are called "chains": | ||
| 31 | |||
| 32 | <?plugin OldStyleTable | ||
| 33 | | *table* | *chains* | ||
| 34 | | =filter= | =INPUT FORWARD OUTPUT= | ||
| 35 | | =nat= | =PREROUTING POSTROUTING OUTPUT= | ||
| 36 | | =mangle= | =PREROUTING INPUT FORWARD OUTPUT POSTROUTING= | ||
| 37 | ?> | ||
| 38 | |||
| 39 | A chain is a list of rules. Each rule has a _condition_ and an _action_: | ||
| 40 | |||
| 41 | <?plugin OldStyleTable caption="a rule in a chain" | ||
| 42 | | _condition_ | _action_ | ||
| 43 | ?> | ||
| 44 | |||
| 45 | When a packet enters a chain, it is tested against each rule in turn. The _action_ of a rule is carried out if the _condition_ is met. Some actions cause the packet to leave the chain immediately, skipping untested rules. The actions are called TARGETS. Some popular targets are: | ||
| 46 | |||
| 47 | * ACCEPT | ||
| 48 | * DROP | ||
| 49 | * LOG | ||
| 50 | * MASQUERADE | ||
| 51 | |||
| 52 | When you configure your firewall, _you_ build this list of rules using the =iptables= tool. | ||
| 53 | |||
| 54 | !! Use-cases | ||
| 55 | |||
| 56 | ! Receiving a packet | ||
| 57 | * The network | ||
| 58 | * PREROUTING:mangle | ||
| 59 | * PREROUTING:nat | ||
| 60 | * INPUT:mangle | ||
| 61 | * INPUT:filter | ||
| 62 | * A local process | ||
| 63 | |||
| 64 | ! Sending a packet | ||
| 65 | * A local process sends a packet to the network | ||
| 66 | * OUTPUT:mangle | ||
| 67 | * OUTPUT:nat | ||
| 68 | * OUTPUT:filter | ||
| 69 | * POSTROUTING:mangle | ||
| 70 | * POSTROUTING:nat | ||
| 71 | * The network | ||
| 72 | |||
| 73 | ! Routing a packet | ||
| 74 | * The network | ||
| 75 | * PREROUTING:mangle | ||
| 76 | * PREROUTING:nat | ||
| 77 | * FORWARD:mangle | ||
| 78 | * FORWARD:filter | ||
| 79 | * POSTROUTING:mangle | ||
| 80 | * POSTROUTING:nat | ||
| 81 | * The network | ||
| 82 | |||
| 83 | The state diagram looks like this (using the GraphViz plugin) :- | ||
| 84 | |||
| 85 | <?plugin GraphViz | ||
| 86 | digraph g { | ||
| 87 | label="iptables rule traversal"; | ||
| 88 | rankdir=LR; | ||
| 89 | |||
| 90 | route [shape=diamond, label="Routing"]; | ||
| 91 | |||
| 92 | PRE [shape=box, label="mangle -> nat\\nPREROUTING"] | ||
| 93 | FORW [shape=box, label="mangle -> filter\\nFORWARD"] | ||
| 94 | POST [shape=box, label="mangle -> nat\\nPOSTROUTING"] | ||
| 95 | INPUT [shape=box, label="mangle -> filter\\nINPUT"] | ||
| 96 | OUTPUT [shape=box, label="mangle -> nat -> filter\\nOUTPUT"] | ||
| 97 | |||
| 98 | local [label="local process"] | ||
| 99 | netIN [label="network: input"] | ||
| 100 | netOUT [label="network: output"] | ||
| 101 | |||
| 102 | // Use cases | ||
| 103 | netIN -> PRE -> route [color=red] | ||
| 104 | netIN -> PRE -> route -> FORW -> POST -> netOUT [color=green] | ||
| 105 | route -> INPUT -> local [color=red] | ||
| 106 | local -> OUTPUT -> POST -> netOUT [color=blue] | ||
| 107 | |||
| 108 | |||
| 109 | use [label="Use Cases"] | ||
| 110 | routing [label="Routing a packet"] | ||
| 111 | receive [label="Receiving a packet"] | ||
| 112 | send [label="Sending a packet"] | ||
| 113 | use -> routing [color=green] | ||
| 114 | use -> receive [color=red] | ||
| 115 | use -> send [color=blue] | ||
| 116 | } | ||
| 117 | ?> | ||
| 118 | |||
| 119 | ---- | ||
| 2 | CriggieCriggie | 120 | IsomerMadeMeDoThis |
lib/blame.php:177: Warning: Invalid argument supplied for foreach()