Rev | Author | # | Line |
---|---|---|---|
1 | MichaelBordignon | 1 | Miscellaneous notes on IPTables. |
2 | |||
3 | * iptables v1.2.6a (debian stable) doesn't seem to function correctly with kernel v2.4.24 if you're using the -m owner module. I used a backport from www.backports.org (http://www.backports.org/debian/dists/stable/iptables/) version 1.2.9 which seems to work fine. | ||
2 | CriggieCriggie | 4 | |
4 | JohnMcPherson | 5 | * the "MAC" listed when logging packets is the full [MAC] header, with the two [MAC] addresses and the [Protocol] (which explains their length). |
5 | ChrisLowth | 6 | |
7 | * Some notes on some of the less well-known features of iptables: [The Hidden Treasures of Iptables|http://www.lowth.com/howto/iptables-treasures.php] | ||
2 | CriggieCriggie | 8 | |
6 | JimCheetham | 9 | ---- |
10 | |||
11 | |||
12 | I've seen iptables described in a number of different manners, but none of them quite manage to encapsulate all of the aspects in one go, so I often end up drawing a diagram on paper based on the three main different use-cases. These are :- | ||
13 | * IP packet coming from the network for a local process | ||
14 | * Local process sending an IP packet out to the network | ||
15 | * IP packet being routed through the machine | ||
16 | |||
17 | !! Types of rule | ||
18 | There are three different _types_ of rule. These are the "tables" in the name iptables :- | ||
19 | # filter - the normal "security" oriented rules, most commonly used to ACCEPT or DENY connections. | ||
20 | # nat - these rewrite the source or destination IP addresses, and are most often used when your machine is a router for a small network. | ||
21 | # mangle - these try to alter the headers of the packet, and are very rarely used. Really, don't bother with them :-) | ||
22 | |||
23 | There are five different positions that these rule types can be found in :- | ||
24 | # as soon as a packet arrives from the network (PREROUTING) | ||
25 | # just before a packet is INPUT to a local process | ||
26 | # just after it has been OUTPUT from one | ||
27 | # when a packet is being FORWARDed to another machine | ||
28 | # just before a packet is sent to the network (POSTROUTING) | ||
29 | |||
30 | The positions are called "chains": | ||
31 | |||
32 | <?plugin OldStyleTable | ||
33 | | *table* | *chains* | ||
34 | | =filter= | =INPUT FORWARD OUTPUT= | ||
35 | | =nat= | =PREROUTING POSTROUTING OUTPUT= | ||
36 | | =mangle= | =PREROUTING INPUT FORWARD OUTPUT POSTROUTING= | ||
37 | ?> | ||
38 | |||
39 | A chain is a list of rules. Each rule has a _condition_ and an _action_: | ||
40 | |||
41 | <?plugin OldStyleTable caption="a rule in a chain" | ||
42 | | _condition_ | _action_ | ||
43 | ?> | ||
44 | |||
45 | When a packet enters a chain, it is tested against each rule in turn. The _action_ of a rule is carried out if the _condition_ is met. Some actions cause the packet to leave the chain immediately, skipping untested rules. The actions are called TARGETS. Some popular targets are: | ||
46 | |||
47 | * ACCEPT | ||
48 | * DROP | ||
49 | * LOG | ||
50 | * MASQUERADE | ||
51 | |||
52 | When you configure your firewall, _you_ build this list of rules using the =iptables= tool. | ||
53 | |||
54 | !! Use-cases | ||
55 | |||
56 | ! Receiving a packet | ||
57 | * The network | ||
58 | * PREROUTING:mangle | ||
59 | * PREROUTING:nat | ||
60 | * INPUT:mangle | ||
61 | * INPUT:filter | ||
62 | * A local process | ||
63 | |||
64 | ! Sending a packet | ||
65 | * A local process sends a packet to the network | ||
66 | * OUTPUT:mangle | ||
67 | * OUTPUT:nat | ||
68 | * OUTPUT:filter | ||
69 | * POSTROUTING:mangle | ||
70 | * POSTROUTING:nat | ||
71 | * The network | ||
72 | |||
73 | ! Routing a packet | ||
74 | * The network | ||
75 | * PREROUTING:mangle | ||
76 | * PREROUTING:nat | ||
77 | * FORWARD:mangle | ||
78 | * FORWARD:filter | ||
79 | * POSTROUTING:mangle | ||
80 | * POSTROUTING:nat | ||
81 | * The network | ||
82 | |||
83 | The state diagram looks like this (using the GraphViz plugin) :- | ||
84 | |||
85 | <?plugin GraphViz | ||
86 | digraph g { | ||
87 | label="iptables rule traversal"; | ||
88 | rankdir=LR; | ||
89 | |||
90 | route [shape=diamond, label="Routing"]; | ||
91 | |||
92 | PRE [shape=box, label="mangle -> nat\\nPREROUTING"] | ||
93 | FORW [shape=box, label="mangle -> filter\\nFORWARD"] | ||
94 | POST [shape=box, label="mangle -> nat\\nPOSTROUTING"] | ||
95 | INPUT [shape=box, label="mangle -> filter\\nINPUT"] | ||
96 | OUTPUT [shape=box, label="mangle -> nat -> filter\\nOUTPUT"] | ||
97 | |||
98 | local [label="local process"] | ||
99 | netIN [label="network: input"] | ||
100 | netOUT [label="network: output"] | ||
101 | |||
102 | // Use cases | ||
103 | netIN -> PRE -> route [color=red] | ||
104 | netIN -> PRE -> route -> FORW -> POST -> netOUT [color=green] | ||
105 | route -> INPUT -> local [color=red] | ||
106 | local -> OUTPUT -> POST -> netOUT [color=blue] | ||
107 | |||
108 | |||
109 | use [label="Use Cases"] | ||
110 | routing [label="Routing a packet"] | ||
111 | receive [label="Receiving a packet"] | ||
112 | send [label="Sending a packet"] | ||
113 | use -> routing [color=green] | ||
114 | use -> receive [color=red] | ||
115 | use -> send [color=blue] | ||
116 | } | ||
117 | ?> | ||
118 | |||
119 | ---- | ||
2 | CriggieCriggie | 120 | IsomerMadeMeDoThis |
lib/blame.php:177: Warning: Invalid argument supplied for foreach()