Netfilter

From John's wiki
Jump to navigation Jump to search

I'm learning about Linux netfilter (and iptables) so I can configure 'glam' sensibly.

Resources

Concepts

Tables

Tables I'm interested in (there are others).

  • filter (default)
  • nat

Chains

Each table has a chain for some of these hook points (see packet flow for details):

  • PREROUTING
  • INPUT
  • FORWARD
  • POSTROUTING
  • OUTPUT

Subcommands

Some subcommands I might use:

Command Long command Description
-A chain rule --append appends rule to chain
-F [chain] --flush flush (delete) chain (or all chains if no chain given)
-L [chain] --list list rules for chain (or all chains if no chain given)
-P chain target --policy set default policy of chain to target
-V --version shows iptables version number
-Z [chain] --zero zeroes counters for chain (or all chains if no chain given)

Targets

Some targets I'm interested in. Non-terminal targets don't terminate and continue with the next rule.

Target Terminal Options
ACCEPT yes
DROP yes
DNAT yes --to-destination a1[-a2][:p1-p2]
LOG no --log-level level --log-prefix prefix --log-ip-options --log-tcp-options --log-tcp-sequence

LOG target options

Option Description
--log-level level log level $level; default is warning
--log-prefix prefix prefix log entries with $prefix
--log-ip-options include the IP options in log entries
--log-tcp-options include TCP options in log entries
--log-tcp-sequence include TCP sequence numbers in log entries

Logging levels

These are the same as defined in linux/kernel.h.

Level Name Description
0 emerg or panic system is about to crash
1 alert immediate attention is required
2 crit critical hardware or software failure
3 err or error hardware problem reported by driver
4 warning or warn something is wrong but it's not serious
5 notice advisory note (nothing is wrong)
6 info general information (such as info about hardware)
7 debug debugging info

Match options

Length match options

To match overall packet length:

  • --length min
  • --length min:
  • --length :max
  • --length min:max

To drop long ping packets: 

iptables -A INPUT -p icmp --icmp-type ping -m length --length 1000 -j DROP

Limit match options

Match until a packet rate limit is exceeded, then stop matching.

Option Description
--limit [rate[/unit]] the number of packets to let through per $unit of time; defaults to 3/hour; $rate is second if unspecified
--limit-burst [count] set the $count of packets that will be matched in a burst; $count defaults to 5

Internet Protocol match options

IPv4 match options I'm interested in:

Option Long option Description
-d [!] addr[/mask] --dst --destination destination address $addr (or range, if $mask is given)
-i [!] in --in-interface input interface $in (or if $in ends with + any interface that starts with $in)
-o [!] out --out-interface output interface $out (or if $out ends with + any interface that starts with $out)
-p [!] proto --protocol protocol name or number $proto (see Common IP protocols)
-s [!] addr[/mask] --src --source source address $addr (or range, if $mask is given)

Common IP protocols

IP protocols I'm interested in.

Name Number(s) Description
ALL 1, 6, 17 same as not specifying a protocol at all
icmp 1 Internet Control Message Protocol
tcp 6 Transmission Control Protocol
udp 17 User Datagram Protocol

ICMP match options

This extension is loaded if '--protocol icmp' is specified. It provides the following option:

Option Description
--icmp-type [!] typename This allows specification of the ICMP type, which can be a numeric ICMP type, or one of the ICMP type names

ICMP type names

This is the output from `iptables -p icmp -h`:

  • any
  • echo-reply (pong)
  • destination-unreachable
    • network-unreachable
    • host-unreachable
    • protocol-unreachable
    • port-unreachable
    • fragmentation-needed
    • source-route-failed
    • network-unknown
    • host-unknown
    • network-prohibited
    • host-prohibited
    • TOS-network-unreachable
    • TOS-host-unreachable
    • communication-prohibited
    • host-precedence-violation
    • precedence-cutoff
  • source-quench
  • redirect
    • network-redirect
    • host-redirect
    • TOS-network-redirect
    • TOS-host-redirect
  • echo-request (ping)
  • router-advertisement
  • router-solicitation
  • time-exceeded (ttl-exceeded)
    • ttl-zero-during-transit
    • ttl-zero-during-reassembly
  • parameter-problem
    • ip-header-bad
    • required-option-missing
  • timestamp-request
  • timestamp-reply
  • address-mask-request
  • address-mask-reply

TCP match options

This extension is loaded if '--protocol tcp' is specified. Some TCP match options I'm interested in (there are more).

Option Long option Description
--dport [!] port[:port] --destination-port inclusive range for TCP destination port
--sport [!] port[:port] --source-port inclusive range for TCP source port

UDP match options

This extension is loaded if '--protocol udp' is specified. UDP match options (this is all of them).

Option Long option Description
--dport [!] port[:port] --destination-port inclusive range for UDP destination port
--sport [!] port[:port] --source-port inclusive range for UDP source port

Packet flow

The four flows are:

Packet flows from one network interface to another (forwarding)

Table Chain
mangle PREROUTING
nat PREROUTING
mangle FORWARD
filter FORWARD
mangle POSTROUTING
nat POSTROUTING

Packet flows from a network interface to a local process (input)

Table Chain
mangle PREROUTING
nat PREROUTING
mangle INPUT
filter INPUT

Packet flows from a local process to a network interface (output)

Table Chain
mangle OUTPUT
nat OUTPUT
filter OUTPUT
mangle POSTROUTING
nat POSTROUTING

Packet flows from a local process to another local process (local)

Table Chain
mangle OUTPUT
nat OUTPUT
filter OUTPUT
filter INPUT
mangle INPUT
Retrieved from "https://www.jj5.net/wiki/mediawiki/index.php?title=Netfilter&oldid=7711"