Differences between current version and revision by previous author of IptablesNotes.
Other diffs: Previous Major Revision, Previous Revision, or view the Annotated Edit History
Newer page: | version 6 | Last edited on Wednesday, September 17, 2008 10:08:32 pm | by JimCheetham | |
Older page: | version 5 | Last edited on Sunday, October 17, 2004 2:54:36 am | by ChrisLowth | Revert |
@@ -5,5 +5,116 @@
* the "MAC" listed when logging packets is the full [MAC] header, with the two [MAC] addresses and the [Protocol] (which explains their length).
* Some notes on some of the less well-known features of iptables: [The Hidden Treasures of Iptables|http://www.lowth.com/howto/iptables-treasures.php]
+----
+
+
+I've seen iptables described in a number of different manners, but none of them quite manage to encapsulate all of the aspects in one go, so I often end up drawing a diagram on paper based on the three main different use-cases. These are :-
+ * IP packet coming from the network for a local process
+ * Local process sending an IP packet out to the network
+ * IP packet being routed through the machine
+
+!! Types of rule
+There are three different _types_ of rule. These are the "tables" in the name iptables :-
+ # filter - the normal "security" oriented rules, most commonly used to ACCEPT or DENY connections.
+ # nat - these rewrite the source or destination IP addresses, and are most often used when your machine is a router for a small network.
+ # mangle - these try to alter the headers of the packet, and are very rarely used. Really, don't bother with them :-)
+
+There are five different positions that these rule types can be found in :-
+ # as soon as a packet arrives from the network (PREROUTING)
+ # just before a packet is INPUT to a local process
+ # just after it has been OUTPUT from one
+ # when a packet is being FORWARDed to another machine
+ # just before a packet is sent to the network (POSTROUTING)
+
+The positions are called "chains":
+
+<?plugin OldStyleTable
+| *table* | *chains*
+| =filter= | =INPUT FORWARD OUTPUT=
+| =nat= | =PREROUTING POSTROUTING OUTPUT=
+| =mangle= | =PREROUTING INPUT FORWARD OUTPUT POSTROUTING=
+?>
+
+A chain is a list of rules. Each rule has a _condition_ and an _action_:
+
+<?plugin OldStyleTable caption="a rule in a chain"
+| _condition_ | _action_
+?>
+
+When a packet enters a chain, it is tested against each rule in turn. The _action_ of a rule is carried out if the _condition_ is met. Some actions cause the packet to leave the chain immediately, skipping untested rules. The actions are called TARGETS. Some popular targets are:
+
+* ACCEPT
+* DROP
+* LOG
+* MASQUERADE
+
+When you configure your firewall, _you_ build this list of rules using the =iptables= tool.
+
+!! Use-cases
+
+! Receiving a packet
+* The network
+* PREROUTING:mangle
+* PREROUTING:nat
+* INPUT:mangle
+* INPUT:filter
+* A local process
+
+! Sending a packet
+* A local process sends a packet to the network
+* OUTPUT:mangle
+* OUTPUT:nat
+* OUTPUT:filter
+* POSTROUTING:mangle
+* POSTROUTING:nat
+* The network
+
+! Routing a packet
+* The network
+* PREROUTING:mangle
+* PREROUTING:nat
+* FORWARD:mangle
+* FORWARD:filter
+* POSTROUTING:mangle
+* POSTROUTING:nat
+* The network
+
+The state diagram looks like this (using the GraphViz plugin) :-
+
+<?plugin GraphViz
+digraph g {
+label="iptables rule traversal";
+rankdir=LR;
+
+route [shape=diamond, label="Routing"];
+
+PRE [shape=box, label="mangle -> nat\\nPREROUTING"]
+FORW [shape=box, label="mangle -> filter\\nFORWARD"]
+POST [shape=box, label="mangle -> nat\\nPOSTROUTING"]
+INPUT [shape=box, label="mangle -> filter\\nINPUT"]
+OUTPUT [shape=box, label="mangle -> nat -> filter\\nOUTPUT"]
+
+local [label="local process"]
+netIN [label="network: input"]
+netOUT [label="network: output"]
+
+// Use cases
+netIN -> PRE -> route [color=red]
+netIN -> PRE -> route -> FORW -> POST -> netOUT [color=green]
+route -> INPUT -> local [color=red]
+local -> OUTPUT -> POST -> netOUT [color=blue]
+
+
+use [label="Use Cases"]
+routing [label="Routing a packet"]
+receive [label="Receiving a packet"]
+send [label="Sending a packet"]
+use -> routing [color=green]
+use -> receive [color=red]
+use -> send [color=blue]
+}
+?>
+
+----
IsomerMadeMeDoThis