Penguin
Diff: IptablesNotes
EditPageHistoryDiffInfoLikePages

Differences between current version and revision by previous author of IptablesNotes.

Other diffs: Previous Major Revision, Previous Revision, or view the Annotated Edit History

Newer page: version 6 Last edited on Wednesday, September 17, 2008 10:08:32 pm by JimCheetham
Older page: version 5 Last edited on Sunday, October 17, 2004 2:54:36 am by ChrisLowth Revert
@@ -5,5 +5,116 @@
 * the "MAC" listed when logging packets is the full [MAC] header, with the two [MAC] addresses and the [Protocol] (which explains their length). 
  
 * Some notes on some of the less well-known features of iptables: [The Hidden Treasures of Iptables|http://www.lowth.com/howto/iptables-treasures.php] 
  
+----  
+  
+  
+I've seen iptables described in a number of different manners, but none of them quite manage to encapsulate all of the aspects in one go, so I often end up drawing a diagram on paper based on the three main different use-cases. These are :-  
+ * IP packet coming from the network for a local process  
+ * Local process sending an IP packet out to the network  
+ * IP packet being routed through the machine  
+  
+!! Types of rule  
+There are three different _types_ of rule. These are the "tables" in the name iptables :-  
+ # filter - the normal "security" oriented rules, most commonly used to ACCEPT or DENY connections.  
+ # nat - these rewrite the source or destination IP addresses, and are most often used when your machine is a router for a small network.  
+ # mangle - these try to alter the headers of the packet, and are very rarely used. Really, don't bother with them :-)  
+  
+There are five different positions that these rule types can be found in :-  
+ # as soon as a packet arrives from the network (PREROUTING)  
+ # just before a packet is INPUT to a local process  
+ # just after it has been OUTPUT from one  
+ # when a packet is being FORWARDed to another machine  
+ # just before a packet is sent to the network (POSTROUTING)  
+  
+The positions are called "chains":  
+  
+<?plugin OldStyleTable  
+| *table* | *chains*  
+| =filter= | =INPUT FORWARD OUTPUT=  
+| =nat= | =PREROUTING POSTROUTING OUTPUT=  
+| =mangle= | =PREROUTING INPUT FORWARD OUTPUT POSTROUTING=  
+?>  
+  
+A chain is a list of rules. Each rule has a _condition_ and an _action_:  
+  
+<?plugin OldStyleTable caption="a rule in a chain"  
+| _condition_ | _action_  
+?>  
+  
+When a packet enters a chain, it is tested against each rule in turn. The _action_ of a rule is carried out if the _condition_ is met. Some actions cause the packet to leave the chain immediately, skipping untested rules. The actions are called TARGETS. Some popular targets are:  
+  
+* ACCEPT  
+* DROP  
+* LOG  
+* MASQUERADE  
+  
+When you configure your firewall, _you_ build this list of rules using the =iptables= tool.  
+  
+!! Use-cases  
+  
+! Receiving a packet  
+* The network  
+* PREROUTING:mangle  
+* PREROUTING:nat  
+* INPUT:mangle  
+* INPUT:filter  
+* A local process  
+  
+! Sending a packet  
+* A local process sends a packet to the network  
+* OUTPUT:mangle  
+* OUTPUT:nat  
+* OUTPUT:filter  
+* POSTROUTING:mangle  
+* POSTROUTING:nat  
+* The network  
+  
+! Routing a packet  
+* The network  
+* PREROUTING:mangle  
+* PREROUTING:nat  
+* FORWARD:mangle  
+* FORWARD:filter  
+* POSTROUTING:mangle  
+* POSTROUTING:nat  
+* The network  
+  
+The state diagram looks like this (using the GraphViz plugin) :-  
+  
+<?plugin GraphViz  
+digraph g {  
+label="iptables rule traversal";  
+rankdir=LR;  
+  
+route [shape=diamond, label="Routing"];  
+  
+PRE [shape=box, label="mangle -> nat\\nPREROUTING"]  
+FORW [shape=box, label="mangle -> filter\\nFORWARD"]  
+POST [shape=box, label="mangle -> nat\\nPOSTROUTING"]  
+INPUT [shape=box, label="mangle -> filter\\nINPUT"]  
+OUTPUT [shape=box, label="mangle -> nat -> filter\\nOUTPUT"]  
+  
+local [label="local process"]  
+netIN [label="network: input"]  
+netOUT [label="network: output"]  
+  
+// Use cases  
+netIN -> PRE -> route [color=red]  
+netIN -> PRE -> route -> FORW -> POST -> netOUT [color=green]  
+route -> INPUT -> local [color=red]  
+local -> OUTPUT -> POST -> netOUT [color=blue]  
+  
+  
+use [label="Use Cases"]  
+routing [label="Routing a packet"]  
+receive [label="Receiving a packet"]  
+send [label="Sending a packet"]  
+use -> routing [color=green]  
+use -> receive [color=red]  
+use -> send [color=blue]  
+}  
+?>  
+  
+----  
 IsomerMadeMeDoThis