Home
Main website
Display Sidebar
Hide Ads
Recent Changes
View Source:
IptablesNotes
Edit
PageHistory
Diff
Info
LikePages
Miscellaneous notes on IPTables. * iptables v1.2.6a (debian stable) doesn't seem to function correctly with kernel v2.4.24 if you're using the -m owner module. I used a backport from www.backports.org (http://www.backports.org/debian/dists/stable/iptables/) version 1.2.9 which seems to work fine. * the "MAC" listed when logging packets is the full [MAC] header, with the two [MAC] addresses and the [Protocol] (which explains their length). * Some notes on some of the less well-known features of iptables: [The Hidden Treasures of Iptables|http://www.lowth.com/howto/iptables-treasures.php] ---- I've seen iptables described in a number of different manners, but none of them quite manage to encapsulate all of the aspects in one go, so I often end up drawing a diagram on paper based on the three main different use-cases. These are :- * IP packet coming from the network for a local process * Local process sending an IP packet out to the network * IP packet being routed through the machine !! Types of rule There are three different _types_ of rule. These are the "tables" in the name iptables :- # filter - the normal "security" oriented rules, most commonly used to ACCEPT or DENY connections. # nat - these rewrite the source or destination IP addresses, and are most often used when your machine is a router for a small network. # mangle - these try to alter the headers of the packet, and are very rarely used. Really, don't bother with them :-) There are five different positions that these rule types can be found in :- # as soon as a packet arrives from the network (PREROUTING) # just before a packet is INPUT to a local process # just after it has been OUTPUT from one # when a packet is being FORWARDed to another machine # just before a packet is sent to the network (POSTROUTING) The positions are called "chains": <?plugin OldStyleTable | *table* | *chains* | =filter= | =INPUT FORWARD OUTPUT= | =nat= | =PREROUTING POSTROUTING OUTPUT= | =mangle= | =PREROUTING INPUT FORWARD OUTPUT POSTROUTING= ?> A chain is a list of rules. Each rule has a _condition_ and an _action_: <?plugin OldStyleTable caption="a rule in a chain" | _condition_ | _action_ ?> When a packet enters a chain, it is tested against each rule in turn. The _action_ of a rule is carried out if the _condition_ is met. Some actions cause the packet to leave the chain immediately, skipping untested rules. The actions are called TARGETS. Some popular targets are: * ACCEPT * DROP * LOG * MASQUERADE When you configure your firewall, _you_ build this list of rules using the =iptables= tool. !! Use-cases ! Receiving a packet * The network * PREROUTING:mangle * PREROUTING:nat * INPUT:mangle * INPUT:filter * A local process ! Sending a packet * A local process sends a packet to the network * OUTPUT:mangle * OUTPUT:nat * OUTPUT:filter * POSTROUTING:mangle * POSTROUTING:nat * The network ! Routing a packet * The network * PREROUTING:mangle * PREROUTING:nat * FORWARD:mangle * FORWARD:filter * POSTROUTING:mangle * POSTROUTING:nat * The network The state diagram looks like this (using the GraphViz plugin) :- <?plugin GraphViz digraph g { label="iptables rule traversal"; rankdir=LR; route [shape=diamond, label="Routing"]; PRE [shape=box, label="mangle -> nat\\nPREROUTING"] FORW [shape=box, label="mangle -> filter\\nFORWARD"] POST [shape=box, label="mangle -> nat\\nPOSTROUTING"] INPUT [shape=box, label="mangle -> filter\\nINPUT"] OUTPUT [shape=box, label="mangle -> nat -> filter\\nOUTPUT"] local [label="local process"] netIN [label="network: input"] netOUT [label="network: output"] // Use cases netIN -> PRE -> route [color=red] netIN -> PRE -> route -> FORW -> POST -> netOUT [color=green] route -> INPUT -> local [color=red] local -> OUTPUT -> POST -> netOUT [color=blue] use [label="Use Cases"] routing [label="Routing a packet"] receive [label="Receiving a packet"] send [label="Sending a packet"] use -> routing [color=green] use -> receive [color=red] use -> send [color=blue] } ?> ---- IsomerMadeMeDoThis
One page links to
IptablesNotes
:
FirewallNotes
