Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Iptables1001
hung-weichiu
Co-organizer of SDNDS-TW
Co-organizer of CNTUUG
Linux Network/Kubernetes/SDN
You can find me at:
blog.hwchiu....
How Many People Known Iptables?
Why Today?
Reference: https://en.wikipedia.org/wiki/Iptables
WhyWeLearn
Learn it’s architecture
Learn how to design/implement
Think more
User Space
Kernel Space
iptables ebtables application
netlink/system call
Kernel
netfilter system
Network
Interface Card
N...
ebtables
Setup and maintain the tables of rules.
For Ethernet frames.
components
Tables
Chains
Target
Match
Table
filter nat broute
Different functions.
Filter the
frames
Change
the MAC
Address
Make the
decision,
route/bridge
Chain
input
Set of rules
output prerouting postrouting brouting
Timing of frame processing
forward
Chain
input
Set of rules
output prerouting postrouting brouting
Timing of frame processing
forward
brouting prerouting
inp...
Chain
input
Set of rules
output prerouting postrouting brouting
Timing of frame processing
forward
brouting prerouting
inp...
Targets/Match
Targets
○ Accept
○ Drop
○ Continue
○ Return
○ Custom-Action
Match
○ Ethernet fields
○ Input interface/ARP/Vl...
iptables
Setup and maintain the tables of rules.
For internet protocol packets.
○ ipv4/ipv6
components
Tables
Chains
Target
Match
Table
filter nat raw
Different functions.
Filter the
packets
Change
the IP
Address
Handle
for non-
tracking
packets.
mangl...
Chain
input
Set of rules
output prerouting postrouting
Timing of frame processing
forward
Chain
input
Set of rules
output prerouting postrouting
Timing of frame processing
forward
prerouting
input
forward
output ...
Chain
input
Set of rules
output prerouting postrouting
Timing of frame processing
forward
prerouting
input
forward
output ...
Targets/Match
Targets
○ Accept
○ Drop
○ Queue
○ Return
○ Custom-Action
Match
○ Layer3 fields
○ Custom-Match
Reference: https://en.wikipedia.org/wiki/Iptables
example
Docker0
Container0 Container1
enp0s1
1. Container0 <-> Contaienr1
2. Container0 <-> Wan
10.1.14.2 10.1.14.3
10.1.1...
containertocontainer
Layer2 bridging
Via the linux bridge docker0
TakeAnExamplec
Docker0
Container0 Container1
enp0s1
1. Container0 <-> Contaienr1
Packets
10.1.14.2 10.1.14.3
10.1.14.1
Reference: https://en.wikipedia.org/wiki/Iptables
ContainertoContainer
containertowan
Layer2 bridging
Via the linux bridge docker0
Layer3 routing
Via the linux kernel network stack.
TakeAnExamplec
Docker0
Container0 Container1
enp0s1
1. Container0 <-> Wan
Packets
10.1.14.2 10.1.14.3
10.1.14.1
Reference: https://en.wikipedia.org/wiki/Iptables
Containertowan
TakeAnExamplec
Docker0
Container0 Container1
enp0s1
1. Container0 <-> Wan
Reference: https://en.wikipedia.org/wiki/Iptables
wantocontainer
Now, Let’s Discuss The Usage Of
iptables.
iptables, a command-line tool
iptables
Home:
○ https://www.netfilter.org/downloads.ht
ml
Git
○ git://git.netfilter.org/iptables.git
Do You Have Meet The Following
Message?
Another app is currently holding
the xtables lock. Perhaps you
want to use the -w option?
Whathappen
iptables command needs a
communication between user and
kernel space.
It need a lock to make sure the
consisten...
Let Read The Source Code
v
v
So, We Know The Iptables Use The File
Lock
Now, Let We Learn How To Flush The
Rules.
c
c
c
First, we need to know how iptables
works with kernel?
libiptc
libiptc
Library which manipulates firewall
rules
Use the system call to interact with
kernel
○ GetSocketOpt
○ SetSocketOpt...
workflows
Initial the libiptc to fetch all current
rules.
Store those rules into a local cache
Operates rules in that cach...
workflows
Initial the libiptc to fetch all current
rules.
In the iptables, we use a handle
(xtc_handle) to represent the c...
initlibiptc
Initial the libiptc to fetch all current
rules.
c
c
Now, we have the cache of the current
rules.
Let We Flush Rules
c
Now, We Have Remove Rules From
Cache
We Commit The Change After Any
Commands
c
c
c
Now, We Have Flush The Rules.
Now, Let’s See What’s The Extension
Custom Match Field
–m tcp –dport 1234
Custom Target Field
–j AUDIT –type accept
User Space
Kernel Space
iptables
extensions
netlink/system call
Kernel
netfilter system
Network
Interface Card
Network
Int...
Architecture
For each extension, you need to
prepare two things.
User-space library to parse the
command.
Kernel-space mod...
For User-Space, iptables command
should know how to parse arguments.
Howtoread
Function
○ DNAT (upper) -> target
○ tcp (lower) -> match
File naming
Old style
○ libipt_ -> ipv4
○ libip6t -> ip...
Now, We Take The Custom Match TCP
as Example
Architecture
iptables/extensions/libxt_tcp.c
Architecture
iptables/extensions/libxt_tcp.c
c
For Kernel-Space, There’re Some
Kernel Modules In The System.
c
v
summary
The iptables system includes the
user-space tool and kernel-space
system.
We focus on how user-space tools
works t...
iptables
iptables need a file lock to protect the
rules.
iptables use the library (libiptc) to
control the rules via syste...
User Space
Kernel Space
iptables
extensions
netlink/system call
Kernel
netfilter system
Network
Interface Card
Network
Int...
Extenstion
For each iptables extension module,
you should both user-space and
kernel-space.
Please make sure the kernel ve...
Thanks!
iptables 101- bottom-up
iptables 101- bottom-up
iptables 101- bottom-up
iptables 101- bottom-up
iptables 101- bottom-up
iptables 101- bottom-up
iptables 101- bottom-up
iptables 101- bottom-up
iptables 101- bottom-up
iptables 101- bottom-up
iptables 101- bottom-up
iptables 101- bottom-up
iptables 101- bottom-up
iptables 101- bottom-up
iptables 101- bottom-up
iptables 101- bottom-up
iptables 101- bottom-up
iptables 101- bottom-up
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
What to Upload to SlideShare
Next
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

Share

iptables 101- bottom-up

Download to read offline

From the bottom-up approach to introduction the iptables, including the architecture of iptables/ebtables and the some usage of iptables.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

iptables 101- bottom-up

  1. 1. Iptables1001
  2. 2. hung-weichiu Co-organizer of SDNDS-TW Co-organizer of CNTUUG Linux Network/Kubernetes/SDN You can find me at: blog.hwchiu.com
  3. 3. How Many People Known Iptables?
  4. 4. Why Today?
  5. 5. Reference: https://en.wikipedia.org/wiki/Iptables
  6. 6. WhyWeLearn Learn it’s architecture Learn how to design/implement Think more
  7. 7. User Space Kernel Space iptables ebtables application netlink/system call Kernel netfilter system Network Interface Card Network Interface Card
  8. 8. ebtables Setup and maintain the tables of rules. For Ethernet frames.
  9. 9. components Tables Chains Target Match
  10. 10. Table filter nat broute Different functions. Filter the frames Change the MAC Address Make the decision, route/bridge
  11. 11. Chain input Set of rules output prerouting postrouting brouting Timing of frame processing forward
  12. 12. Chain input Set of rules output prerouting postrouting brouting Timing of frame processing forward brouting prerouting input forward output postrouting postrouting
  13. 13. Chain input Set of rules output prerouting postrouting brouting Timing of frame processing forward brouting prerouting input forward output postrouting postrouting broute nat nat nat natfilter filter filter
  14. 14. Targets/Match Targets ○ Accept ○ Drop ○ Continue ○ Return ○ Custom-Action Match ○ Ethernet fields ○ Input interface/ARP/Vlan/Mac/…
  15. 15. iptables Setup and maintain the tables of rules. For internet protocol packets. ○ ipv4/ipv6
  16. 16. components Tables Chains Target Match
  17. 17. Table filter nat raw Different functions. Filter the packets Change the IP Address Handle for non- tracking packets. mangle Change packet informati on.
  18. 18. Chain input Set of rules output prerouting postrouting Timing of frame processing forward
  19. 19. Chain input Set of rules output prerouting postrouting Timing of frame processing forward prerouting input forward output postrouting postrouting
  20. 20. Chain input Set of rules output prerouting postrouting Timing of frame processing forward prerouting input forward output postrouting postrouting nat nat nat natfilter filter filter raw raw mangle mangle mangle mangle mangle mangle
  21. 21. Targets/Match Targets ○ Accept ○ Drop ○ Queue ○ Return ○ Custom-Action Match ○ Layer3 fields ○ Custom-Match
  22. 22. Reference: https://en.wikipedia.org/wiki/Iptables
  23. 23. example Docker0 Container0 Container1 enp0s1 1. Container0 <-> Contaienr1 2. Container0 <-> Wan 10.1.14.2 10.1.14.3 10.1.14.1
  24. 24. containertocontainer Layer2 bridging Via the linux bridge docker0
  25. 25. TakeAnExamplec Docker0 Container0 Container1 enp0s1 1. Container0 <-> Contaienr1 Packets 10.1.14.2 10.1.14.3 10.1.14.1
  26. 26. Reference: https://en.wikipedia.org/wiki/Iptables ContainertoContainer
  27. 27. containertowan Layer2 bridging Via the linux bridge docker0 Layer3 routing Via the linux kernel network stack.
  28. 28. TakeAnExamplec Docker0 Container0 Container1 enp0s1 1. Container0 <-> Wan Packets 10.1.14.2 10.1.14.3 10.1.14.1
  29. 29. Reference: https://en.wikipedia.org/wiki/Iptables Containertowan
  30. 30. TakeAnExamplec Docker0 Container0 Container1 enp0s1 1. Container0 <-> Wan
  31. 31. Reference: https://en.wikipedia.org/wiki/Iptables wantocontainer
  32. 32. Now, Let’s Discuss The Usage Of iptables.
  33. 33. iptables, a command-line tool
  34. 34. iptables Home: ○ https://www.netfilter.org/downloads.ht ml Git ○ git://git.netfilter.org/iptables.git
  35. 35. Do You Have Meet The Following Message?
  36. 36. Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
  37. 37. Whathappen iptables command needs a communication between user and kernel space. It need a lock to make sure the consistence iptables will exit if it can’t acquire the lock by default. Use the –w option to wait the lock.
  38. 38. Let Read The Source Code
  39. 39. v v
  40. 40. So, We Know The Iptables Use The File Lock
  41. 41. Now, Let We Learn How To Flush The Rules.
  42. 42. c c c
  43. 43. First, we need to know how iptables works with kernel?
  44. 44. libiptc
  45. 45. libiptc Library which manipulates firewall rules Use the system call to interact with kernel ○ GetSocketOpt ○ SetSocketOpt Maintain a cache for each iptables command.
  46. 46. workflows Initial the libiptc to fetch all current rules. Store those rules into a local cache Operates rules in that cache Commit the change to the kernel.
  47. 47. workflows Initial the libiptc to fetch all current rules. In the iptables, we use a handle (xtc_handle) to represent the cache.
  48. 48. initlibiptc Initial the libiptc to fetch all current rules.
  49. 49. c c
  50. 50. Now, we have the cache of the current rules.
  51. 51. Let We Flush Rules
  52. 52. c
  53. 53. Now, We Have Remove Rules From Cache
  54. 54. We Commit The Change After Any Commands
  55. 55. c
  56. 56. c
  57. 57. c
  58. 58. Now, We Have Flush The Rules.
  59. 59. Now, Let’s See What’s The Extension
  60. 60. Custom Match Field –m tcp –dport 1234
  61. 61. Custom Target Field –j AUDIT –type accept
  62. 62. User Space Kernel Space iptables extensions netlink/system call Kernel netfilter system Network Interface Card Network Interface Card extensions extensions extensions Kernel module Kernel module Kernel module Kernel module
  63. 63. Architecture For each extension, you need to prepare two things. User-space library to parse the command. Kernel-space module to implement that function.
  64. 64. For User-Space, iptables command should know how to parse arguments.
  65. 65. Howtoread Function ○ DNAT (upper) -> target ○ tcp (lower) -> match File naming Old style ○ libipt_ -> ipv4 ○ libip6t -> ipv6 New Style ○ libxt -> ipv4/ipv6
  66. 66. Now, We Take The Custom Match TCP as Example
  67. 67. Architecture iptables/extensions/libxt_tcp.c
  68. 68. Architecture iptables/extensions/libxt_tcp.c c
  69. 69. For Kernel-Space, There’re Some Kernel Modules In The System.
  70. 70. c
  71. 71. v
  72. 72. summary The iptables system includes the user-space tool and kernel-space system. We focus on how user-space tools works today.
  73. 73. iptables iptables need a file lock to protect the rules. iptables use the library (libiptc) to control the rules via system call. You can extend the iptables by implement the extension match/target function.
  74. 74. User Space Kernel Space iptables extensions netlink/system call Kernel netfilter system Network Interface Card Network Interface Card extensions extensions extensions Kernel module Kernel module Kernel module Kernel module
  75. 75. Extenstion For each iptables extension module, you should both user-space and kernel-space. Please make sure the kernel version consistent Use—Space ○ Implement the arguments and store the data into pre-defined structure. Kernel-Space ○ Implement the match function
  76. 76. Thanks!
  • AndyWang16

    Aug. 22, 2019
  • uckey

    Oct. 2, 2018

From the bottom-up approach to introduction the iptables, including the architecture of iptables/ebtables and the some usage of iptables.

Views

Total views

1,160

On Slideshare

0

From embeds

0

Number of embeds

1

Actions

Downloads

40

Shares

0

Comments

0

Likes

2

×