Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

iptables 101- bottom-up

185 views

Published on

From the bottom-up approach to introduction the iptables, including the architecture of iptables/ebtables and the some usage of iptables.

Published in: Software
  • Be the first to comment

iptables 101- bottom-up

  1. 1. Iptables1001
  2. 2. hung-weichiu Co-organizer of SDNDS-TW Co-organizer of CNTUUG Linux Network/Kubernetes/SDN You can find me at: blog.hwchiu.com
  3. 3. How Many People Known Iptables?
  4. 4. Why Today?
  5. 5. Reference: https://en.wikipedia.org/wiki/Iptables
  6. 6. WhyWeLearn Learn it’s architecture Learn how to design/implement Think more
  7. 7. User Space Kernel Space iptables ebtables application netlink/system call Kernel netfilter system Network Interface Card Network Interface Card
  8. 8. ebtables Setup and maintain the tables of rules. For Ethernet frames.
  9. 9. components Tables Chains Target Match
  10. 10. Table filter nat broute Different functions. Filter the frames Change the MAC Address Make the decision, route/bridge
  11. 11. Chain input Set of rules output prerouting postrouting brouting Timing of frame processing forward
  12. 12. Chain input Set of rules output prerouting postrouting brouting Timing of frame processing forward brouting prerouting input forward output postrouting postrouting
  13. 13. Chain input Set of rules output prerouting postrouting brouting Timing of frame processing forward brouting prerouting input forward output postrouting postrouting broute nat nat nat natfilter filter filter
  14. 14. Targets/Match Targets ○ Accept ○ Drop ○ Continue ○ Return ○ Custom-Action Match ○ Ethernet fields ○ Input interface/ARP/Vlan/Mac/…
  15. 15. iptables Setup and maintain the tables of rules. For internet protocol packets. ○ ipv4/ipv6
  16. 16. components Tables Chains Target Match
  17. 17. Table filter nat raw Different functions. Filter the packets Change the IP Address Handle for non- tracking packets. mangle Change packet informati on.
  18. 18. Chain input Set of rules output prerouting postrouting Timing of frame processing forward
  19. 19. Chain input Set of rules output prerouting postrouting Timing of frame processing forward prerouting input forward output postrouting postrouting
  20. 20. Chain input Set of rules output prerouting postrouting Timing of frame processing forward prerouting input forward output postrouting postrouting nat nat nat natfilter filter filter raw raw mangle mangle mangle mangle mangle mangle
  21. 21. Targets/Match Targets ○ Accept ○ Drop ○ Queue ○ Return ○ Custom-Action Match ○ Layer3 fields ○ Custom-Match
  22. 22. Reference: https://en.wikipedia.org/wiki/Iptables
  23. 23. example Docker0 Container0 Container1 enp0s1 1. Container0 <-> Contaienr1 2. Container0 <-> Wan 10.1.14.2 10.1.14.3 10.1.14.1
  24. 24. containertocontainer Layer2 bridging Via the linux bridge docker0
  25. 25. TakeAnExamplec Docker0 Container0 Container1 enp0s1 1. Container0 <-> Contaienr1 Packets 10.1.14.2 10.1.14.3 10.1.14.1
  26. 26. Reference: https://en.wikipedia.org/wiki/Iptables ContainertoContainer
  27. 27. containertowan Layer2 bridging Via the linux bridge docker0 Layer3 routing Via the linux kernel network stack.
  28. 28. TakeAnExamplec Docker0 Container0 Container1 enp0s1 1. Container0 <-> Wan Packets 10.1.14.2 10.1.14.3 10.1.14.1
  29. 29. Reference: https://en.wikipedia.org/wiki/Iptables Containertowan
  30. 30. TakeAnExamplec Docker0 Container0 Container1 enp0s1 1. Container0 <-> Wan
  31. 31. Reference: https://en.wikipedia.org/wiki/Iptables wantocontainer
  32. 32. Now, Let’s Discuss The Usage Of iptables.
  33. 33. iptables, a command-line tool
  34. 34. iptables Home: ○ https://www.netfilter.org/downloads.ht ml Git ○ git://git.netfilter.org/iptables.git
  35. 35. Do You Have Meet The Following Message?
  36. 36. Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
  37. 37. Whathappen iptables command needs a communication between user and kernel space. It need a lock to make sure the consistence iptables will exit if it can’t acquire the lock by default. Use the –w option to wait the lock.
  38. 38. Let Read The Source Code
  39. 39. v v
  40. 40. So, We Know The Iptables Use The File Lock
  41. 41. Now, Let We Learn How To Flush The Rules.
  42. 42. c c c
  43. 43. First, we need to know how iptables works with kernel?
  44. 44. libiptc
  45. 45. libiptc Library which manipulates firewall rules Use the system call to interact with kernel ○ GetSocketOpt ○ SetSocketOpt Maintain a cache for each iptables command.
  46. 46. workflows Initial the libiptc to fetch all current rules. Store those rules into a local cache Operates rules in that cache Commit the change to the kernel.
  47. 47. workflows Initial the libiptc to fetch all current rules. In the iptables, we use a handle (xtc_handle) to represent the cache.
  48. 48. initlibiptc Initial the libiptc to fetch all current rules.
  49. 49. c c
  50. 50. Now, we have the cache of the current rules.
  51. 51. Let We Flush Rules
  52. 52. c
  53. 53. Now, We Have Remove Rules From Cache
  54. 54. We Commit The Change After Any Commands
  55. 55. c
  56. 56. c
  57. 57. c
  58. 58. Now, We Have Flush The Rules.
  59. 59. Now, Let’s See What’s The Extension
  60. 60. Custom Match Field –m tcp –dport 1234
  61. 61. Custom Target Field –j AUDIT –type accept
  62. 62. User Space Kernel Space iptables extensions netlink/system call Kernel netfilter system Network Interface Card Network Interface Card extensions extensions extensions Kernel module Kernel module Kernel module Kernel module
  63. 63. Architecture For each extension, you need to prepare two things. User-space library to parse the command. Kernel-space module to implement that function.
  64. 64. For User-Space, iptables command should know how to parse arguments.
  65. 65. Howtoread Function ○ DNAT (upper) -> target ○ tcp (lower) -> match File naming Old style ○ libipt_ -> ipv4 ○ libip6t -> ipv6 New Style ○ libxt -> ipv4/ipv6
  66. 66. Now, We Take The Custom Match TCP as Example
  67. 67. Architecture iptables/extensions/libxt_tcp.c
  68. 68. Architecture iptables/extensions/libxt_tcp.c c
  69. 69. For Kernel-Space, There’re Some Kernel Modules In The System.
  70. 70. c
  71. 71. v
  72. 72. summary The iptables system includes the user-space tool and kernel-space system. We focus on how user-space tools works today.
  73. 73. iptables iptables need a file lock to protect the rules. iptables use the library (libiptc) to control the rules via system call. You can extend the iptables by implement the extension match/target function.
  74. 74. User Space Kernel Space iptables extensions netlink/system call Kernel netfilter system Network Interface Card Network Interface Card extensions extensions extensions Kernel module Kernel module Kernel module Kernel module
  75. 75. Extenstion For each iptables extension module, you should both user-space and kernel-space. Please make sure the kernel version consistent Use—Space ○ Implement the arguments and store the data into pre-defined structure. Kernel-Space ○ Implement the match function
  76. 76. Thanks!

×