Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Understand the iptables step by step

108 views

Published on

Show how does the iptables works and use the source code to explain the workflow of iptables step by step. including the file-lock, the system call and the related command of iptables rules.
In the last, I also show the architecture of the iptables extension and use the demo to show how to write your own iptables modules.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Understand the iptables step by step

  1. 1. Iptables101 coscup-2018
  2. 2. COSCUP2018 x openSUSE.Asia GNOME.Asia I am Hung-Wei Chiu Co-organizer of SDNDS-TW Co-organizer of CNTUUG I love Linux Network/Kubernetes/SDN You can find me at: blog.hwchiu.com
  3. 3. COSCUP2018 x openSUSE.Asia GNOME.Asia How Many People Known Iptables?
  4. 4. COSCUP2018 x openSUSE.Asia GNOME.Asia Network Interface Card PREROUUTING Network Interface Card POSTROUUTING INPUT OUTPUT INPUT OUTPUT FORWARDRouting Routing LOCAL PROCESS DNAT
  5. 5. COSCUP2018 x openSUSE.Asia GNOME.Asia We Don’t Focus On Those Table/Chain Today
  6. 6. COSCUP2018 x openSUSE.Asia GNOME.Asia User Space Kernel Space iptables ebtables application netlink/system call Kernel netfilter system Network Interface Card Network Interface Card
  7. 7. COSCUP2018 x openSUSE.Asia GNOME.Asia iptables, a command-line tool
  8. 8. COSCUP2018 x openSUSE.Asia GNOME.Asia iptables Home: ○ https://www.netfilter.org/downloads.ht ml Git ○ git://git.netfilter.org/iptables.git
  9. 9. COSCUP2018 x openSUSE.Asia GNOME.Asia We Focus On What Will Happen For Each Command
  10. 10. COSCUP2018 x openSUSE.Asia GNOME.Asia Do You Have Meet The Following Message?
  11. 11. COSCUP2018 x openSUSE.Asia GNOME.Asia Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
  12. 12. COSCUP2018 x openSUSE.Asia GNOME.Asia Whathappen iptables command needs a communication between user and kernel space. It need a lock to make sure the consistence iptables will exit if it can’t acquire the lock by default. Use the –w option to wait the lock.
  13. 13. COSCUP2018 x openSUSE.Asia GNOME.Asia Let Read The Source Code
  14. 14. COSCUP2018 x openSUSE.Asia GNOME.Asia
  15. 15. COSCUP2018 x openSUSE.Asia GNOME.Asia
  16. 16. COSCUP2018 x openSUSE.Asia GNOME.Asia v v
  17. 17. COSCUP2018 x openSUSE.Asia GNOME.Asia
  18. 18. COSCUP2018 x openSUSE.Asia GNOME.Asia So, We Know The Iptables Use The File Lock
  19. 19. COSCUP2018 x openSUSE.Asia GNOME.Asia Do You Meet The Duplicated Rules ?
  20. 20. COSCUP2018 x openSUSE.Asia GNOME.Asia
  21. 21. COSCUP2018 x openSUSE.Asia GNOME.Asia How Could We Solve This?
  22. 22. COSCUP2018 x openSUSE.Asia GNOME.Asia solution Custom chain ○ Use the ‘-F’ to flush all rules. Check before inserting rule ○ Use the ‘-C’ to check. Modify the iptables to avoid duplicated rules.
  23. 23. COSCUP2018 x openSUSE.Asia GNOME.Asia
  24. 24. COSCUP2018 x openSUSE.Asia GNOME.Asia How Could We Solve This?
  25. 25. COSCUP2018 x openSUSE.Asia GNOME.Asia
  26. 26. COSCUP2018 x openSUSE.Asia GNOME.Asia
  27. 27. COSCUP2018 x openSUSE.Asia GNOME.Asia
  28. 28. COSCUP2018 x openSUSE.Asia GNOME.Asia
  29. 29. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, Let We Learn How To Flush The Rules.
  30. 30. COSCUP2018 x openSUSE.Asia GNOME.Asia c c c
  31. 31. COSCUP2018 x openSUSE.Asia GNOME.Asia First, we need to know how iptables works with kernel?
  32. 32. COSCUP2018 x openSUSE.Asia GNOME.Asia libiptc
  33. 33. COSCUP2018 x openSUSE.Asia GNOME.Asia libiptc Library which manipulates firewall rules Use the system call to interact with kernel ○ GetSocketOpt ○ SetSocketOpt Maintain a cache for each iptables command.
  34. 34. COSCUP2018 x openSUSE.Asia GNOME.Asia workflows Initial the libiptc to fetch all current rules. Store those rules into a local cache Operates rules in that cache Commit the change to the kernel.
  35. 35. COSCUP2018 x openSUSE.Asia GNOME.Asia workflows Initial the libiptc to fetch all current rules. In the iptables, we use a handle (xtc_handle) to represent the cache.
  36. 36. COSCUP2018 x openSUSE.Asia GNOME.Asia initlibiptc Initial the libiptc to fetch all current rules.
  37. 37. COSCUP2018 x openSUSE.Asia GNOME.Asia c c
  38. 38. COSCUP2018 x openSUSE.Asia GNOME.Asia
  39. 39. COSCUP2018 x openSUSE.Asia GNOME.Asia
  40. 40. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, we have the cache of the current rules.
  41. 41. COSCUP2018 x openSUSE.Asia GNOME.Asia Let We Flush Rules
  42. 42. COSCUP2018 x openSUSE.Asia GNOME.Asia
  43. 43. COSCUP2018 x openSUSE.Asia GNOME.Asia
  44. 44. COSCUP2018 x openSUSE.Asia GNOME.Asia
  45. 45. COSCUP2018 x openSUSE.Asia GNOME.Asia c
  46. 46. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, We Have Remove Rules From Cache
  47. 47. COSCUP2018 x openSUSE.Asia GNOME.Asia
  48. 48. COSCUP2018 x openSUSE.Asia GNOME.Asia We Commit The Change After Any Commands
  49. 49. COSCUP2018 x openSUSE.Asia GNOME.Asia c
  50. 50. COSCUP2018 x openSUSE.Asia GNOME.Asia c
  51. 51. COSCUP2018 x openSUSE.Asia GNOME.Asia c
  52. 52. COSCUP2018 x openSUSE.Asia GNOME.Asia
  53. 53. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, We Have Flush The Rules.
  54. 54. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, Let’s See What’s The Extension
  55. 55. COSCUP2018 x openSUSE.Asia GNOME.Asia Custom Match Field –m tcp –dport 1234
  56. 56. COSCUP2018 x openSUSE.Asia GNOME.Asia Custom Target Field –j AUDIT –type accept
  57. 57. COSCUP2018 x openSUSE.Asia GNOME.Asia User Space Kernel Space iptables extensions netlink/system call Kernel netfilter system Network Interface Card Network Interface Card extensions extensions extensions Kernel module Kernel module Kernel module Kernel module
  58. 58. COSCUP2018 x openSUSE.Asia GNOME.Asia Architecture For each extension, you need to prepare two things. User-space library to parse the command. Kernel-space module to implement that function.
  59. 59. COSCUP2018 x openSUSE.Asia GNOME.Asia For User-Space, iptables command should know how to parse arguments.
  60. 60. COSCUP2018 x openSUSE.Asia GNOME.Asia
  61. 61. COSCUP2018 x openSUSE.Asia GNOME.Asia
  62. 62. COSCUP2018 x openSUSE.Asia GNOME.Asia Howtoread Function ○ DNAT (upper) -> target ○ tcp (lower) -> match File naming Old style ○ libipt_ -> ipv4 ○ libip6t -> ipv6 New Style ○ libxt -> ipv4/ipv6
  63. 63. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, We Take The Custom Match TCP as Example
  64. 64. COSCUP2018 x openSUSE.Asia GNOME.Asia Architecture iptables/extensions/libxt_tcp.c
  65. 65. COSCUP2018 x openSUSE.Asia GNOME.Asia Architecture iptables/extensions/libxt_tcp.c c
  66. 66. COSCUP2018 x openSUSE.Asia GNOME.Asia
  67. 67. COSCUP2018 x openSUSE.Asia GNOME.Asia
  68. 68. COSCUP2018 x openSUSE.Asia GNOME.Asia For Kernel-Space, There’re Some Kernel Modules In The System.
  69. 69. COSCUP2018 x openSUSE.Asia GNOME.Asia
  70. 70. COSCUP2018 x openSUSE.Asia GNOME.Asia c
  71. 71. COSCUP2018 x openSUSE.Asia GNOME.Asia
  72. 72. COSCUP2018 x openSUSE.Asia GNOME.Asia
  73. 73. COSCUP2018 x openSUSE.Asia GNOME.Asia
  74. 74. COSCUP2018 x openSUSE.Asia GNOME.Asia v
  75. 75. COSCUP2018 x openSUSE.Asia GNOME.Asia Demo Time
  76. 76. COSCUP2018 x openSUSE.Asia GNOME.Asia summary The iptables system includes the user-space tool and kernel-space system. We focus on how user-space tools works today.
  77. 77. COSCUP2018 x openSUSE.Asia GNOME.Asia iptables iptables need a file lock to protect the rules. iptables use the library (libiptc) to control the rules via system call. You can extend the iptables by implement the extension match/target function.
  78. 78. COSCUP2018 x openSUSE.Asia GNOME.Asia User Space Kernel Space iptables extensions netlink/system call Kernel netfilter system Network Interface Card Network Interface Card extensions extensions extensions Kernel module Kernel module Kernel module Kernel module
  79. 79. COSCUP2018 x openSUSE.Asia GNOME.Asia Extenstion For each iptables extension module, you should both user-space and kernel-space. Please make sure the kernel version consistent Use—Space ○ Implement the arguments and store the data into pre-defined structure. Kernel-Space ○ Implement the match function
  80. 80. COSCUP2018 x openSUSE.Asia GNOME.Asia Thanks!

×