1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
|
%include "default.mgp"
%default 1 bgrad
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%back "blue"
%center
%size 7
The netfilter/iptables framework in
Linux 2.4.x
%center
%size 4
by
Harald Welte <laforge@gnumonks.org>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
Contents
Introduction
Netfilter hooks in protocol stacks
Packet selection based on IP Tables
The Connection Tracking Subsystem
The NAT Subsystem based on netfilter + iptables
Packet filtering using the 'filter' table
Packet mangling using the 'mangle' table
Advanced netfilter concepts
Current development and Future
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
Introduction
Why did we need netfilter/iptables?
Because ipchains...
has no infrastructure for passing packets to userspace
makes transparent proxying extremely difficult
has interface address dependent Packet filter rules
has Masquerading implemented as part of packet filtering
code is too complex and intermixed with core ipv4 stack
is neither modular nor extensible
only barely supports one special case of NAT (masquerading)
has only stateless packet filtering
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
Introduction
Who's behind netfilter/iptables
Paul 'Rusty' Russel
co-author of iptables in Linux 2.2
was paid by Watchguard for about one Year of development
James Morris
userspace queuing (kernel, library and tools)
REJECT target
Marc Boucher
NAT and packet filtering controlled by one command
Mangle table
Harald Welte
Conntrack+NAT helper infrastructure (newnat)
Userspace packet logging (ULOG)
PPTP and IRC conntrack/NAT helpers
Jozsef Kadlecsik
TCP window tracking
H.323 conntrack + NAT helper
Continued newnat development
Non-core team contributors
http://www.netfilter.org/scoreboard/
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
Netfilter Hooks
What is netfilter?
System of callback functions within network stack
Callback function to be called for every packet traversing certain point (hook) within network stack
Protocol independent framework
Hooks in layer 3 stacks (IPv4, IPv6, DECnet, ARP)
Multiple kernel modules can register with each of the hooks
Asynchronous packet handling in userspace (ip_queue)
Traditional packet filtering, NAT, ... is implemented on top of this framework
Can be used for other stuff interfacing with the core network stack, like DECnet routing daemon.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
Netfilter Hooks
Netfilter architecture in IPv4
%font "courier"
--->[1]--->[ROUTE]--->[3]--->[4]--->
| ^
| |
| [ROUTE]
v |
[2] [5]
| ^
| |
v |
%font "standard"
1=NF_IP_PRE_ROUTING
2=NF_IP_LOCAL_IN
3=NF_IP_FORWARD
4=NF_IP_POST_ROUTING
5=NF_IP_LOCAL_OUT
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
Netfilter Hooks
Netfilter Hooks
Any kernel module may register a callback function at any of the hooks
The module has to return one of the following constants
NF_ACCEPT continue traversal as normal
NF_DROP drop the packet, do not continue
NF_STOLEN I've taken over the packet do not continue
NF_QUEUE enqueue packet to userspace
NF_REPEAT call this hook again
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
IP tables
Packet selection using IP tables
The kernel provides generic IP tables support
Each kernel module may create it's own IP table
The three major parts of 2.4 firewalling subsystem are implemented using IP tables
Packet filtering table 'filter'
NAT table 'nat'
Packet mangling table 'mangle'
Can potentially be used for other stuff, i.e. IPsec SPDB
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
IP Tables
Managing chains and tables
An IP table consists out of multiple chains
A chain consists out of a list of rules
Every single rule in a chain consists out of
match[es] (rule executed if all matches true)
target (what to do if the rule is matched)
%size 4
matches and targets can either be builtin or implemented as kernel modules
%size 6
The userspace tool iptables is used to control IP tables
handles all different kinds of IP tables
supports a plugin/shlib interface for target/match specific options
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
IP Tables
Basic iptables commands
To build a complete iptables command, we must specify
which table to work with
which chain in this table to use
an operation (insert, add, delete, modify)
one or more matches (optional)
a target
The syntax is
%font "typewriter"
%size 3
iptables -t table -Operation chain -j target match(es)
%font "standard"
%size 5
Example:
%font "typewriter"
%size 3
iptables -t filter -A INPUT -j ACCEPT -p tcp --dport smtp
%font "standard"
%size 5
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
IP Tables
Matches
Basic matches
-p protocol (tcp/udp/icmp/...)
-s source address (ip/mask)
-d destination address (ip/mask)
-i incoming interface
-o outgoing interface
Match extensions (examples)
tcp/udp TCP/udp source/destination port
icmp ICMP code/type
ah/esp AH/ESP SPID match
mac source MAC address
mark nfmark
length match on length of packet
limit rate limiting (n packets per timeframe)
owner owner uid of the socket sending the packet
tos TOS field of IP header
ttl TTL field of IP header
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
IP Tables
Targets
very dependent on the particular table.
Table specific targets will be discussed later
Generic Targets, always available
ACCEPT accept packet within chain
DROP silently drop packet
QUEUE enqueue packet to userspace
LOG log packet via syslog
ULOG log packet via ulogd
RETURN return to previous (calling) chain
foobar jump to user defined chain
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
Packet Filtering
Overview
Implemented as 'filter' table
Registers with three netfilter hooks
NF_IP_LOCAL_IN (packets destined for the local host)
NF_IP_FORWARD (packets forwarded by local host)
NF_IP_LOCAL_OUT (packets from the local host)
Each of the three hooks has attached one chain (INPUT, FORWARD, OUTPUT)
Every packet passes exactly one of the three chains. Note that this is very different compared to the old 2.2.x ipchains behaviour.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
Packet Filtering
Targets available within 'filter' table
Builtin Targets to be used in filter table
ACCEPT accept the packet
DROP silently drop the packet
QUEUE enqueue packet to userspace
RETURN return to previous (calling) chain
foobar user defined chain
Targets implemented as loadable modules
REJECT drop the packet but inform sender
MIRROR change source/destination IP and resend
LOG log via syslog
ULOG log via userspace
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
Connection Tracking Subsystem
Connection tracking...
implemented seperately from NAT
enables stateful filtering
implementation
hooks into NF_IP_PRE_ROUTING to track packets
hooks into NF_IP_POST_ROUTING and NF_IP_LOCAL_IN to see if packet passed filtering rules
protocol modules (currently TCP/UDP/ICMP)
application helpers currently (FTP,IRC,H.323,talk,SNMP)
divides packets in the following four categories
NEW - would establish new connection
ESTABLISHED - part of already established connection
RELATED - is related to established connection
INVALID - (multicast, errors...)
does _NOT_ filter packets itself
can be utilized by iptables using the 'state' match
is used by NAT Subsystem
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
Network Address Translation
Overview
Previous Linux Kernels only implemented one special case of NAT: Masquerading
Linux 2.4.x can do any kind of NAT.
NAT subsystem implemented on top of netfilter, iptables and conntrack
NAT subsystem registers with all five netfilter hooks
'nat' Table registers chains PREROUTING, POSTROUTING and OUTPUT
Following targets available within 'nat' Table
SNAT changes the packet's source whille passing NF_IP_POST_ROUTING
DNAT changes the packet's destination while passing NF_IP_PRE_ROUTING
MASQUERADE is a special case of SNAT
REDIRECT is a special case of DNAT
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
Network Address Translation
Source NAT
SNAT Example:
%font "typewriter"
%size 3
iptables -t nat -A POSTROUTING -j SNAT --to-source 1.2.3.4 -s 10.0.0.0/8
%font "standard"
%size 4
MASQUERADE Example:
%font "typewriter"
%size 3
iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0
%font "standard"
%size 5
Destination NAT
DNAT example
%font "typewriter"
%size 3
iptables -t nat -A PREROUTING -j DNAT --to-destination 1.2.3.4:8080 -p tcp --dport 80 -i eth1
%font "standard"
%size 4
REDIRECT example
%font "typewriter"
%size 3
iptables -t nat -A PREROUTING -j REDIRECT --to-port 3128 -i eth1 -p tcp --dport 80
%font "standard"
%size 5
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
Packet Mangling
Purpose of mangle table
packet manipulation except address manipulation
Integration with netfilter
'mangle' table hooks in all five netfilter hooks
priority: after conntrack
Targets specific to the 'mangle' table:
DSCP - manipulate DSCP field
IPV4OPTSSTRIP - strip IPv4 options
MARK - change the nfmark field of the skb
TCPMSS - set TCP MSS option
TOS - manipulate the TOS bits
TTL - set / increase / decrease TTL field
Simple example:
%font "typewriter"
%size 3
iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -p tcp --dport 80
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
Advanced Netfilter concepts
%size 4
Userspace logging
flexible replacement for old syslog-based logging
packets to userspace via multicast netlink sockets
easy-to-use library (libipulog)
plugin-extensible userspace logging daemon (ulogd)
Can even be used to directly log into MySQL
Queuing
reliable asynchronous packet handling
packets to userspace via unicast netlink socket
easy-to-use library (libipq)
provides Perl bindings
experimental queue multiplex daemon (ipqmpd)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
Current Development and Future
Netfilter (although it proved very stable) is still work in progress.
Areas of current development
infrastructure for conntrack manipulation from userspace
failover of stateful firewalls
making iptables layer3 independent (pkttables)
new userspace library (libiptables) to hide plugins from apps
more matches and targets for advanced functions (pool, hashslot)
more conntrack and NAT modules (RPC, SNMP, SMB, ...)
better IPv6 support (conntrack, more matches / targets)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
Thanks
Thanks to
the BBS people, Z-Netz, FIDO, ...
for heavily increasing my computer usage in 1992
KNF
for bringing me in touch with the internet as early as 1995
for providing a playground for technical people
for telling me about the existance of Linux!
Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
for implementing (one of?) the world's best TCP/IP stacks
Paul 'Rusty' Russell
for starting the netfilter/iptables project
for trusting me to maintain it today
Linux User Group Nuernberg (ALIGN, LUG-N)
for helping me with my initial Linux problems
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
netfilter/iptables in Linux 2.4
Availability of slides / Links
The slides and the an according paper of this presentation are available at
http://www.gnumonks.org/
The netfilter homepage
http://www.netfilter.org/
|