Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
Loading in …3
×
1 of 46

IPTABLES Introduction

Apr. 11, 2020
5 likes 514 views

5

Share

Download to read offline

Engineering

In this slide, we discuss the concept of IPTABLES/EBTABLES and then show how they work in a simple docker environment.
In order to track the packet flow in those containers communication, we use the LOG module in IPTABLES/EBTABLE to track the information.

Recommended

Related Books

Free with a 30 day trial from Scribd

See all
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4.5/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(3.5/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4.5/5)
Free
Ninety Percent of Everything: Inside Shipping, the Invisible Industry That Puts Clothes on Your Back, Gas in Your Car, and Food on Your Plate Rose George
(4/5)
Free
Carrying the Fire: 50th Anniversary Edition Michael Collins
(4.5/5)
Free
Island of the Lost: An Extraordinary Story of Survival at the Edge of the World Joan Druett
(4/5)
Free
On War: With linked Table of Contents Carl von Clausewitz
(4.5/5)
Free

Related Audiobooks

Free with a 30 day trial from Scribd

See all
Einstein's Fridge: How the Difference Between Hot and Cold Explains the Universe Paul Sen
(4.5/5)
Free
The Wires of War: Technology and the Global Struggle for Power Jacob Helberg
(5/5)
Free
System Error: Where Big Tech Went Wrong and How We Can Reboot Rob Reich
(4/5)
Free
The Quiet Zone: Unraveling the Mystery of a Town Suspended in Silence Stephen Kurczy
(5/5)
Free
Liftoff: Elon Musk and the Desperate Early Days That Launched SpaceX Eric Berger
(5/5)
Free
The Science of Time Travel: The Secrets Behind Time Machines, Time Loops, Alternate Realities, and More! Elizabeth Howell
(3/5)
Free
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
A Brief History of Motion: From the Wheel, to the Car, to What Comes Next Tom Standage
(4.5/5)
Free
An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel
(4.5/5)
Free
Bitcoin Billionaires: A True Story of Genius, Betrayal, and Redemption Ben Mezrich
(4.5/5)
Free
The Players Ball: A Genius, a Con Man, and the Secret History of the Internet's Rise David Kushner
(4.5/5)
Free
User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang
(4/5)
Free
Digital Renaissance: What Data and Economics Tell Us about the Future of Popular Culture Joel Waldfogel
(3.5/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free

IPTABLES Introduction

  1. 1. IPTABLES (I) HungWei Chiu
  2. 2. HungWei Chiu •MTS @ ONF •SDNDS-TW/CNTUG •Linux/Network/Container/ Kubernetes •Kuberentes Courses @Hiskio
  3. 3. Why IPTABLES
  4. 4. IPTABLES Series Introduction to IPTABLES Learn IPTABLES by Docker environment. Implementation of IPTABLES User Space/Kernel Space Implement our own iptables modules Kubernetes Service discussion Layer4 load-balancing, why ? Modify the kernel module to make it support Layer7, really ?
  5. 5. Today
  6. 6. Environment ContainerA ContainerA Linux Bridge Eth0 Eth0 Eth0 Veth0 Veth1 Host to Container Container to Container Container to WAN
  7. 7. Architecture iptables iptables-save Iptables-xxxx
  8. 8. IPTABLES/EBTABLES Example iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER ebtables -t filter -I INPUT --log --log-prefix 'ctc/ebtable/filter-input' --log-level debug Components Chain. -> Insert/Append (-I/-A) Table Match (Module) -> build-in/module Target (Module). -> build-in/module
  9. 9. Chain (EBTABLES) INPUT Frames destined for the bridge itself FORWARD Frames being forwarded by the bridges OUTPUT Locally-generated Routed frames PREROUTING (PREFORWARDING) Altering frames as soon as they come in POSTROUTING (POSTFORWARDING) Altering frames as they are about to go out BROUTING Traversed very early, route or bridge frame.
  10. 10. Tables (EBTABLES) Filter Filter frames NAT Change the MAC Address broute Make the decision (bridge/route)
  11. 11. DNAT DNAT SNAT SNAT ContainerA ContainerA Linux Bridge Eth0 Eth0 Veth0 Veth1
  12. 12. Observe Flows We use the target LOG to log the packet information and then learn the packer flow in different situation. ebtables -t broute -I BROUTING --log --log-prefix 'ctc/ebtable/ broute-BROUTING' --log-level debug We focus on Host to container Container to container
  13. 13. Container to Container
  14. 14. Scripts Setup ebtables rules ./ebtables.sh Modify kernel module Add printk(....) Need to rebuild the kernel module and re-install Generate traffic to container. sudo dmesg -c (clean buffer) sudo docker exec netutils ping 172.18.0.2 -c1 sudo dmesg -c
  15. 15. Container to Container
  16. 16. Host to Container
  17. 17. Scripts Setup ebtables rules ./ebtables.sh Modify kernel module Add printk(....) Need to rebuild the kernel module and re-install Generate traffic to container. sudo dmesg -c (clean buffer) sudo ping 172.18.0.2 -c1 sudo dmesg -c
  18. 18. Host to Container PING
  19. 19. Host to Container PING
  20. 20. Before IPTABLES
  21. 21. Example (docker -p) Iperf server Linux Bridge 172.17.8.111 172.18.0.4 Veth0 MacBook VM 172.17.8.1 Iperf client In Virtual Machine docker run -d --name iperf -p 12345:5201 --entrypoint iperf3 hwchiu/ netutils -s -p 5201 In MAC iperf3 -c 172.17.8.111 12345 Iptables will do DNAT to redirect packets iptables-save -t nat -c -A DOCKER ! -i docker0 -p tcp -m tcp --dport 12345 -j DNAT --to- destination 172.18.0.4:5201
  22. 22. Conntrack Connection Tracking Connection-> application level. Track the connection: Request tuple -> Replay tuple Tuple: src_ip, dest_ip, src_port, dest_port
  23. 23. Conntrack Iperf server Linux Bridge 172.17.8.111 172.18.0.4 Veth0 MacBook VM 172.17.8.1 Iperf client Request tuple 172.17.8.1:53426 -> 172.17.8.111:12345 Reply 172.18.0.4:5201 -> 172.17.8.1:53426 Iptables do NAT only once and then conntrack handles the rest of packets.
  24. 24. Tables (IBTABLES) Raw For non-tracking packets. (Before conntrack) Mangle Change packet's information Filter Filter packets NAT Change IP address (SNAT/DNAT)
  25. 25. Chain (IPTABLES) INPUT Packets destined to local sockets FORWARD Packets being routed OUTPUT Locally-generated packets PREROUTING Altering packets as soon as they come in POSTROUTING Altering packets as they are about to go out
  26. 26. DNAT DNAT SNAT SNAT
  27. 27. Others http://xkr47.outerspace.dyndns.org/netfilter/packet_flow/packet_flow10.png
  28. 28. Observe Flows We use the target LOG to log the packet information and then learn the packer flow in different situation. iptables -t mangle -I PREROUTING -p tcp -d 172.18.0.0/16 -j LOG --log-prefix '/ iptable/mangle-PREROUTE' --log-level debug We focus on Container to container Host to container WAN to container
  29. 29. Container to Container
  30. 30. Scripts Setup ebtables rules ./ebtables.sh ./iptables.sh Generate traffic to container. sudo dmesg -c (clean buffer): sudo docker exec netutils ping 172.18.0.2 -c 1 sudo dmesg -c > test
  31. 31. Container to Container
  32. 32. No NAT in Reply Packet
  33. 33. Have You Seen This? sudo sysctl net.bridge.bridge-nf-call-iptables=1 echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables Try to repeat this case with value '0'
  34. 34. Host to Container
  35. 35. Scripts Setup ebtables rules ./ebtables.sh ./iptables.sh Generate traffic to container. sudo dmesg -c (clean buffer): ping 172.18.0.2 -c 1 sudo dmesg -c > test
  36. 36. ICMP Request to Container PING
  37. 37. ICMP Reply From Container PING
  38. 38. Others What is Bridge Check? Different Function Handler netdev_rx_handler_register br_handle_frame
  39. 39. WAN to Container
  40. 40. Scripts Setup ebtables rules ./ebtables.sh ./iptables.sh Generate traffic to container. sudo dmesg -c (clean buffer): sudo docker exec netutils ping 8.8.8.8 -c 1 sudo dmesg -c > test
  41. 41. ICMP Request to WAN PING
  42. 42. ICMP Reply From WAN PING
  43. 43. Tcpdump
  44. 44. How To Debug No Simple Way Strong knowledge of TCP/IP Capture Packets by TCPDUMP Check IPTables rules Use the log module to capture packets (watch out match rules). Check other build-in services. ARPTables Routing Tables TC (Traffic Shaping) Modify the Linux Kernel to print out packet information.
  45. 45. Q&A

×