Dienstag, 1. Oktober 2019

Linux firewall iptables at a glance

How iptables work


Before we begin, here is the meta-grammar for iptables:

ip tables
table   : filter (default) | nat | mangle | raw | security
filter  : INPUT | FORWARD | OUTPUT
nat     : PREROUTING | OUTPUT | POSTROUTING
mangle  : INPUT | FORWARD | PREROUTING | OUTPUT | POSTROUTING
table   : {chain}+
chain   : {userdefined} | {built-in}
built-in: INPUT | FORWARD | OUTPUT | PREROUTING | POSTROUTING
chain   : {rule}+ 
rule    : {criteria}+ -> {chain | target}
target  : ACCEPT, DROP, QUEUE or RETURN

As you can see, there is the concept of tables. These tables classify the purpose of their containing set of rule chains. All rule chains in table filter have therefore a filter purpose in charge.
Let's explain the firewall processing of IP Packets with an example.
An application on our host generates content to be sent outside via network. Because this is content originating from ourselves, the OUTPUT chain of rules is going to be applied. But this pre-named OUTPUT chain exist in multiple tables in seperate instances. As you can see, the tables filter, nat and mangle all have their own instance of an OUTPUT chain. There is a predefined order between these OUTPUT chains from different tables. Lets say that first the filter.OUTPUT is being processed followed by nat.OUTPUT and finalized by mangle.OUTPUT. Each element in e.g. filter.OUTPUT is a rule, which can terminate with an end status (ACCEPT,DROP,...) or link to another rule in a chain of the current table. If no rule of the running chain has to be processed anymore within the current table, then the next table's chain of the same type is becoming running.
Long story short: Packets get processed by first checking their orginating source and target ip and based on that the appropiate chain gets selected. Multiple instances of this chain can be located in multiple tables. Each of this chain instances will be processed one by one. So the first chain instance must be finished before the next instance can start.
We also must consider that not every chain getting processed has multiple instances in each table.
After one set of chains with the same type (name) is finished, any remaing type of chains suitable for the network traffic gets a run.
.....
An here comes a dump:

[root@localhost ~]# iptables -t filter -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
INPUT_direct  all  --  anywhere             anywhere
INPUT_ZONES  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

[root@localhost ~]# iptables -t filter -S INPUT
-P INPUT ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
[root@localhost ~]# man iptables
[root@localhost ~]# iptables -I INPUT -s 192.168.1.0/24 -j ACCEPT
[root@localhost ~]# iptables -t filter -S INPUT
-P INPUT ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited 

Keine Kommentare:

Kommentar veröffentlichen