How iptables work
Before we begin, here is the meta-grammar for iptables:
ip tables
table : filter (default) | nat | mangle | raw | security
filter : INPUT | FORWARD | OUTPUT
nat : PREROUTING | OUTPUT | POSTROUTING
mangle : INPUT | FORWARD | PREROUTING | OUTPUT | POSTROUTING
table : {chain}+
chain : {userdefined} | {built-in}
built-in: INPUT | FORWARD | OUTPUT | PREROUTING | POSTROUTING
chain : {rule}+
rule : {criteria}+ -> {chain | target}
target : ACCEPT, DROP, QUEUE or RETURN
As you can see, there is the concept of tables. These tables classify the purpose of their containing set of rule chains. All rule chains in table filter have therefore a filter purpose in charge.
Let's explain the firewall processing of IP Packets with an example.
An application on our host generates content to be sent outside via network. Because this is content originating from ourselves, the OUTPUT chain of rules is going to be applied. But this pre-named OUTPUT chain exist in multiple tables in seperate instances. As you can see, the tables filter, nat and mangle all have their own instance of an OUTPUT chain. There is a predefined order between these OUTPUT chains from different tables. Lets say that first the filter.OUTPUT is being processed followed by nat.OUTPUT and finalized by mangle.OUTPUT. Each element in e.g. filter.OUTPUT is a rule, which can terminate with an end status (ACCEPT,DROP,...) or link to another rule in a chain of the current table. If no rule of the running chain has to be processed anymore within the current table, then the next table's chain of the same type is becoming running.
Long story short: Packets get processed by first checking their orginating source and target ip and based on that the appropiate chain gets selected. Multiple instances of this chain can be located in multiple tables. Each of this chain instances will be processed one by one. So the first chain instance must be finished before the next instance can start.
We also must consider that not every chain getting processed has multiple instances in each table.
After one set of chains with the same type (name) is finished, any remaing type of chains suitable for the network traffic gets a run.
.....
An here comes a dump:
[root@localhost ~]# iptables -t filter -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
[root@localhost ~]# iptables -t filter -S INPUT
-P INPUT ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
[root@localhost ~]# man iptables
[root@localhost ~]# iptables -I INPUT -s 192.168.1.0/24 -j ACCEPT
[root@localhost ~]# iptables -t filter -S INPUT
-P INPUT ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
Keine Kommentare:
Kommentar veröffentlichen