iptables 101- bottom-up

1. Iptables1001

2. hung-weichiu Co-organizer of SDNDS-TW Co-organizer of CNTUUG Linux Network/Kubernetes/SDN You can find me at: blog.hwchiu.com

3. How Many People Known Iptables?

4. Why Today?

5. Reference: https://en.wikipedia.org/wiki/Iptables

6. WhyWeLearn Learn it’s architecture Learn how to design/implement Think more

7. User Space Kernel Space iptables ebtables application netlink/system call Kernel netfilter system Network Interface Card Network Interface Card

8. ebtables Setup and maintain the tables of rules. For Ethernet frames.

9. components Tables Chains Target Match

10. Table filter nat broute Different functions. Filter the frames Change the MAC Address Make the decision, route/bridge

11. Chain input Set of rules output prerouting postrouting brouting Timing of frame processing forward

12. Chain input Set of rules output prerouting postrouting brouting Timing of frame processing forward brouting prerouting input forward output postrouting postrouting

13. Chain input Set of rules output prerouting postrouting brouting Timing of frame processing forward brouting prerouting input forward output postrouting postrouting broute nat nat nat natfilter filter filter

14. Targets/Match Targets ○ Accept ○ Drop ○ Continue ○ Return ○ Custom-Action Match ○ Ethernet fields ○ Input interface/ARP/Vlan/Mac/…

15. iptables Setup and maintain the tables of rules. For internet protocol packets. ○ ipv4/ipv6

16. components Tables Chains Target Match

17. Table filter nat raw Different functions. Filter the packets Change the IP Address Handle for non- tracking packets. mangle Change packet informati on.

18. Chain input Set of rules output prerouting postrouting Timing of frame processing forward

19. Chain input Set of rules output prerouting postrouting Timing of frame processing forward prerouting input forward output postrouting postrouting

20. Chain input Set of rules output prerouting postrouting Timing of frame processing forward prerouting input forward output postrouting postrouting nat nat nat natfilter filter filter raw raw mangle mangle mangle mangle mangle mangle

21. Targets/Match Targets ○ Accept ○ Drop ○ Queue ○ Return ○ Custom-Action Match ○ Layer3 fields ○ Custom-Match

22. Reference: https://en.wikipedia.org/wiki/Iptables

23. example Docker0 Container0 Container1 enp0s1 1. Container0 <-> Contaienr1 2. Container0 <-> Wan 10.1.14.2 10.1.14.3 10.1.14.1

24. containertocontainer Layer2 bridging Via the linux bridge docker0

25. TakeAnExamplec Docker0 Container0 Container1 enp0s1 1. Container0 <-> Contaienr1 Packets 10.1.14.2 10.1.14.3 10.1.14.1

26. Reference: https://en.wikipedia.org/wiki/Iptables ContainertoContainer

27. containertowan Layer2 bridging Via the linux bridge docker0 Layer3 routing Via the linux kernel network stack.

28. TakeAnExamplec Docker0 Container0 Container1 enp0s1 1. Container0 <-> Wan Packets 10.1.14.2 10.1.14.3 10.1.14.1

29. Reference: https://en.wikipedia.org/wiki/Iptables Containertowan

30. TakeAnExamplec Docker0 Container0 Container1 enp0s1 1. Container0 <-> Wan

31. Reference: https://en.wikipedia.org/wiki/Iptables wantocontainer

32. Now, Let’s Discuss The Usage Of iptables.

33. iptables, a command-line tool

34. iptables Home: ○ https://www.netfilter.org/downloads.ht ml Git ○ git://git.netfilter.org/iptables.git

35. Do You Have Meet The Following Message?

36. Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

37. Whathappen iptables command needs a communication between user and kernel space. It need a lock to make sure the consistence iptables will exit if it can’t acquire the lock by default. Use the –w option to wait the lock.

38. Let Read The Source Code

41. v v

43. So, We Know The Iptables Use The File Lock

44. Now, Let We Learn How To Flush The Rules.

45. c c c

46. First, we need to know how iptables works with kernel?

47. libiptc

48. libiptc Library which manipulates firewall rules Use the system call to interact with kernel ○ GetSocketOpt ○ SetSocketOpt Maintain a cache for each iptables command.

49. workflows Initial the libiptc to fetch all current rules. Store those rules into a local cache Operates rules in that cache Commit the change to the kernel.

50. workflows Initial the libiptc to fetch all current rules. In the iptables, we use a handle (xtc_handle) to represent the cache.

51. initlibiptc Initial the libiptc to fetch all current rules.

52. c c

55. Now, we have the cache of the current rules.

56. Let We Flush Rules

61. Now, We Have Remove Rules From Cache

63. We Commit The Change After Any Commands

68. Now, We Have Flush The Rules.

69. Now, Let’s See What’s The Extension

70. Custom Match Field –m tcp –dport 1234

71. Custom Target Field –j AUDIT –type accept

72. User Space Kernel Space iptables extensions netlink/system call Kernel netfilter system Network Interface Card Network Interface Card extensions extensions extensions Kernel module Kernel module Kernel module Kernel module

73. Architecture For each extension, you need to prepare two things. User-space library to parse the command. Kernel-space module to implement that function.

74. For User-Space, iptables command should know how to parse arguments.

77. Howtoread Function ○ DNAT (upper) -> target ○ tcp (lower) -> match File naming Old style ○ libipt_ -> ipv4 ○ libip6t -> ipv6 New Style ○ libxt -> ipv4/ipv6

78. Now, We Take The Custom Match TCP as Example

79. Architecture iptables/extensions/libxt_tcp.c

80. Architecture iptables/extensions/libxt_tcp.c c

83. For Kernel-Space, There’re Some Kernel Modules In The System.

90. summary The iptables system includes the user-space tool and kernel-space system. We focus on how user-space tools works today.

91. iptables iptables need a file lock to protect the rules. iptables use the library (libiptc) to control the rules via system call. You can extend the iptables by implement the extension match/target function.

92. User Space Kernel Space iptables extensions netlink/system call Kernel netfilter system Network Interface Card Network Interface Card extensions extensions extensions Kernel module Kernel module Kernel module Kernel module

93. Extenstion For each iptables extension module, you should both user-space and kernel-space. Please make sure the kernel version consistent Use—Space ○ Implement the arguments and store the data into pre-defined structure. Kernel-Space ○ Implement the match function

94. Thanks!

iptables 101- bottom-up

iptables 101- bottom-up

Recommended

More Related Content

What's hot

What's hot(20)

Similar to iptables 101- bottom-up

Similar to iptables 101- bottom-up(20)

More from HungWei Chiu

More from HungWei Chiu(19)

Recently uploaded

Recently uploaded(20)

iptables 101- bottom-up