Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
IPTABLES (I) HungWei Chiu
HungWei Chiu •MTS @ ONF •SDNDS-TW/CNTUG •Linux/Network/Container/ Kubernetes •Kuberentes Courses @Hiskio
Why IPTABLES
IPTABLES Series Introduction to IPTABLES Learn IPTABLES by Docker environment. Implementation of IPTABLES User Space/Kerne...
Today
Environment ContainerA ContainerA Linux Bridge Eth0 Eth0 Eth0 Veth0 Veth1 Host to Container Container to Container Contain...
Architecture iptables iptables-save Iptables-xxxx
IPTABLES/EBTABLES Example iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER ebtables -t fil...
Chain (EBTABLES) INPUT Frames destined for the bridge itself FORWARD Frames being forwarded by the bridges OUTPUT Locally-...
Tables (EBTABLES) Filter Filter frames NAT Change the MAC Address broute Make the decision (bridge/route)
DNAT DNAT SNAT SNAT ContainerA ContainerA Linux Bridge Eth0 Eth0 Veth0 Veth1
Observe Flows We use the target LOG to log the packet information and then learn the packer flow in different situation. eb...
Container to Container
Scripts Setup ebtables rules ./ebtables.sh Modify kernel module Add printk(....) Need to rebuild the kernel module and re-...
Container to Container
Host to Container
Scripts Setup ebtables rules ./ebtables.sh Modify kernel module Add printk(....) Need to rebuild the kernel module and re-...
Host to Container PING
Host to Container PING
Before IPTABLES
Example (docker -p) Iperf server Linux Bridge 172.17.8.111 172.18.0.4 Veth0 MacBook VM 172.17.8.1 Iperf client In Virtual ...
Conntrack Connection Tracking Connection-> application level. Track the connection: Request tuple -> Replay tuple Tuple: s...
Conntrack Iperf server Linux Bridge 172.17.8.111 172.18.0.4 Veth0 MacBook VM 172.17.8.1 Iperf client Request tuple 172.17....
Tables (IBTABLES) Raw For non-tracking packets. (Before conntrack) Mangle Change packet's information Filter Filter packet...
Chain (IPTABLES) INPUT Packets destined to local sockets FORWARD Packets being routed OUTPUT Locally-generated packets PRE...
DNAT DNAT SNAT SNAT
Others http://xkr47.outerspace.dyndns.org/netfilter/packet_flow/packet_flow10.png
Observe Flows We use the target LOG to log the packet information and then learn the packer flow in different situation. ip...
Container to Container
Scripts Setup ebtables rules ./ebtables.sh ./iptables.sh Generate traffic to container. sudo dmesg -c (clean buffer): sudo ...
Container to Container
No NAT in Reply Packet
Have You Seen This? sudo sysctl net.bridge.bridge-nf-call-iptables=1 echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptabl...
Host to Container
Scripts Setup ebtables rules ./ebtables.sh ./iptables.sh Generate traffic to container. sudo dmesg -c (clean buffer): ping ...
ICMP Request to Container PING
ICMP Reply From Container PING
Others What is Bridge Check? Different Function Handler netdev_rx_handler_register br_handle_frame
WAN to Container
Scripts Setup ebtables rules ./ebtables.sh ./iptables.sh Generate traffic to container. sudo dmesg -c (clean buffer): sudo ...
ICMP Request to WAN PING
ICMP Reply From WAN PING
Tcpdump
How To Debug No Simple Way Strong knowledge of TCP/IP Capture Packets by TCPDUMP Check IPTables rules Use the log module t...
Q&A
IPTABLES Introduction
Upcoming SlideShare
Loading in …5
×

IPTABLES Introduction

343 views

Published on

In this slide, we discuss the concept of IPTABLES/EBTABLES and then show how they work in a simple docker environment.
In order to track the packet flow in those containers communication, we use the LOG module in IPTABLES/EBTABLE to track the information.

Published in: Engineering
no profile picture user

  • Be the first to comment

IPTABLES Introduction

  1. 1. IPTABLES (I) HungWei Chiu
  2. 2. HungWei Chiu •MTS @ ONF •SDNDS-TW/CNTUG •Linux/Network/Container/ Kubernetes •Kuberentes Courses @Hiskio
  3. 3. Why IPTABLES
  4. 4. IPTABLES Series Introduction to IPTABLES Learn IPTABLES by Docker environment. Implementation of IPTABLES User Space/Kernel Space Implement our own iptables modules Kubernetes Service discussion Layer4 load-balancing, why ? Modify the kernel module to make it support Layer7, really ?
  5. 5. Today
  6. 6. Environment ContainerA ContainerA Linux Bridge Eth0 Eth0 Eth0 Veth0 Veth1 Host to Container Container to Container Container to WAN
  7. 7. Architecture iptables iptables-save Iptables-xxxx
  8. 8. IPTABLES/EBTABLES Example iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER ebtables -t filter -I INPUT --log --log-prefix 'ctc/ebtable/filter-input' --log-level debug Components Chain. -> Insert/Append (-I/-A) Table Match (Module) -> build-in/module Target (Module). -> build-in/module
  9. 9. Chain (EBTABLES) INPUT Frames destined for the bridge itself FORWARD Frames being forwarded by the bridges OUTPUT Locally-generated Routed frames PREROUTING (PREFORWARDING) Altering frames as soon as they come in POSTROUTING (POSTFORWARDING) Altering frames as they are about to go out BROUTING Traversed very early, route or bridge frame.
  10. 10. Tables (EBTABLES) Filter Filter frames NAT Change the MAC Address broute Make the decision (bridge/route)
  11. 11. DNAT DNAT SNAT SNAT ContainerA ContainerA Linux Bridge Eth0 Eth0 Veth0 Veth1
  12. 12. Observe Flows We use the target LOG to log the packet information and then learn the packer flow in different situation. ebtables -t broute -I BROUTING --log --log-prefix 'ctc/ebtable/ broute-BROUTING' --log-level debug We focus on Host to container Container to container
  13. 13. Container to Container
  14. 14. Scripts Setup ebtables rules ./ebtables.sh Modify kernel module Add printk(....) Need to rebuild the kernel module and re-install Generate traffic to container. sudo dmesg -c (clean buffer) sudo docker exec netutils ping 172.18.0.2 -c1 sudo dmesg -c
  15. 15. Container to Container
  16. 16. Host to Container
  17. 17. Scripts Setup ebtables rules ./ebtables.sh Modify kernel module Add printk(....) Need to rebuild the kernel module and re-install Generate traffic to container. sudo dmesg -c (clean buffer) sudo ping 172.18.0.2 -c1 sudo dmesg -c
  18. 18. Host to Container PING
  19. 19. Host to Container PING
  20. 20. Before IPTABLES
  21. 21. Example (docker -p) Iperf server Linux Bridge 172.17.8.111 172.18.0.4 Veth0 MacBook VM 172.17.8.1 Iperf client In Virtual Machine docker run -d --name iperf -p 12345:5201 --entrypoint iperf3 hwchiu/ netutils -s -p 5201 In MAC iperf3 -c 172.17.8.111 12345 Iptables will do DNAT to redirect packets iptables-save -t nat -c -A DOCKER ! -i docker0 -p tcp -m tcp --dport 12345 -j DNAT --to- destination 172.18.0.4:5201
  22. 22. Conntrack Connection Tracking Connection-> application level. Track the connection: Request tuple -> Replay tuple Tuple: src_ip, dest_ip, src_port, dest_port
  23. 23. Conntrack Iperf server Linux Bridge 172.17.8.111 172.18.0.4 Veth0 MacBook VM 172.17.8.1 Iperf client Request tuple 172.17.8.1:53426 -> 172.17.8.111:12345 Reply 172.18.0.4:5201 -> 172.17.8.1:53426 Iptables do NAT only once and then conntrack handles the rest of packets.
  24. 24. Tables (IBTABLES) Raw For non-tracking packets. (Before conntrack) Mangle Change packet's information Filter Filter packets NAT Change IP address (SNAT/DNAT)
  25. 25. Chain (IPTABLES) INPUT Packets destined to local sockets FORWARD Packets being routed OUTPUT Locally-generated packets PREROUTING Altering packets as soon as they come in POSTROUTING Altering packets as they are about to go out
  26. 26. DNAT DNAT SNAT SNAT
  27. 27. Others http://xkr47.outerspace.dyndns.org/netfilter/packet_flow/packet_flow10.png
  28. 28. Observe Flows We use the target LOG to log the packet information and then learn the packer flow in different situation. iptables -t mangle -I PREROUTING -p tcp -d 172.18.0.0/16 -j LOG --log-prefix '/ iptable/mangle-PREROUTE' --log-level debug We focus on Container to container Host to container WAN to container
  29. 29. Container to Container
  30. 30. Scripts Setup ebtables rules ./ebtables.sh ./iptables.sh Generate traffic to container. sudo dmesg -c (clean buffer): sudo docker exec netutils ping 172.18.0.2 -c 1 sudo dmesg -c > test
  31. 31. Container to Container
  32. 32. No NAT in Reply Packet
  33. 33. Have You Seen This? sudo sysctl net.bridge.bridge-nf-call-iptables=1 echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables Try to repeat this case with value '0'
  34. 34. Host to Container
  35. 35. Scripts Setup ebtables rules ./ebtables.sh ./iptables.sh Generate traffic to container. sudo dmesg -c (clean buffer): ping 172.18.0.2 -c 1 sudo dmesg -c > test
  36. 36. ICMP Request to Container PING
  37. 37. ICMP Reply From Container PING
  38. 38. Others What is Bridge Check? Different Function Handler netdev_rx_handler_register br_handle_frame
  39. 39. WAN to Container
  40. 40. Scripts Setup ebtables rules ./ebtables.sh ./iptables.sh Generate traffic to container. sudo dmesg -c (clean buffer): sudo docker exec netutils ping 8.8.8.8 -c 1 sudo dmesg -c > test
  41. 41. ICMP Request to WAN PING
  42. 42. ICMP Reply From WAN PING
  43. 43. Tcpdump
  44. 44. How To Debug No Simple Way Strong knowledge of TCP/IP Capture Packets by TCPDUMP Check IPTables rules Use the log module to capture packets (watch out match rules). Check other build-in services. ARPTables Routing Tables TC (Traffic Shaping) Modify the Linux Kernel to print out packet information.
  45. 45. Q&A

×