-
Be the first to like this
Upcoming SlideShare
Understand the iptables step by step
- 1. Iptables101 coscup-2018
- 2. COSCUP2018 x openSUSE.Asia GNOME.Asia I am Hung-Wei Chiu Co-organizer of SDNDS-TW Co-organizer of CNTUUG I love Linux Network/Kubernetes/SDN You can find me at: blog.hwchiu.com
- 3. COSCUP2018 x openSUSE.Asia GNOME.Asia How Many People Known Iptables?
- 4. COSCUP2018 x openSUSE.Asia GNOME.Asia Network Interface Card PREROUUTING Network Interface Card POSTROUUTING INPUT OUTPUT INPUT OUTPUT FORWARDRouting Routing LOCAL PROCESS DNAT
- 5. COSCUP2018 x openSUSE.Asia GNOME.Asia We Don’t Focus On Those Table/Chain Today
- 6. COSCUP2018 x openSUSE.Asia GNOME.Asia User Space Kernel Space iptables ebtables application netlink/system call Kernel netfilter system Network Interface Card Network Interface Card
- 7. COSCUP2018 x openSUSE.Asia GNOME.Asia iptables, a command-line tool
- 8. COSCUP2018 x openSUSE.Asia GNOME.Asia iptables Home: ○ https://www.netfilter.org/downloads.ht ml Git ○ git://git.netfilter.org/iptables.git
- 9. COSCUP2018 x openSUSE.Asia GNOME.Asia We Focus On What Will Happen For Each Command
- 10. COSCUP2018 x openSUSE.Asia GNOME.Asia Do You Have Meet The Following Message?
- 11. COSCUP2018 x openSUSE.Asia GNOME.Asia Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
- 12. COSCUP2018 x openSUSE.Asia GNOME.Asia Whathappen iptables command needs a communication between user and kernel space. It need a lock to make sure the consistence iptables will exit if it can’t acquire the lock by default. Use the –w option to wait the lock.
- 13. COSCUP2018 x openSUSE.Asia GNOME.Asia Let Read The Source Code
- 14. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 15. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 16. COSCUP2018 x openSUSE.Asia GNOME.Asia v v
- 17. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 18. COSCUP2018 x openSUSE.Asia GNOME.Asia So, We Know The Iptables Use The File Lock
- 19. COSCUP2018 x openSUSE.Asia GNOME.Asia Do You Meet The Duplicated Rules ?
- 20. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 21. COSCUP2018 x openSUSE.Asia GNOME.Asia How Could We Solve This?
- 22. COSCUP2018 x openSUSE.Asia GNOME.Asia solution Custom chain ○ Use the ‘-F’ to flush all rules. Check before inserting rule ○ Use the ‘-C’ to check. Modify the iptables to avoid duplicated rules.
- 23. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 24. COSCUP2018 x openSUSE.Asia GNOME.Asia How Could We Solve This?
- 25. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 26. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 27. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 28. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 29. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, Let We Learn How To Flush The Rules.
- 30. COSCUP2018 x openSUSE.Asia GNOME.Asia c c c
- 31. COSCUP2018 x openSUSE.Asia GNOME.Asia First, we need to know how iptables works with kernel?
- 32. COSCUP2018 x openSUSE.Asia GNOME.Asia libiptc
- 33. COSCUP2018 x openSUSE.Asia GNOME.Asia libiptc Library which manipulates firewall rules Use the system call to interact with kernel ○ GetSocketOpt ○ SetSocketOpt Maintain a cache for each iptables command.
- 34. COSCUP2018 x openSUSE.Asia GNOME.Asia workflows Initial the libiptc to fetch all current rules. Store those rules into a local cache Operates rules in that cache Commit the change to the kernel.
- 35. COSCUP2018 x openSUSE.Asia GNOME.Asia workflows Initial the libiptc to fetch all current rules. In the iptables, we use a handle (xtc_handle) to represent the cache.
- 36. COSCUP2018 x openSUSE.Asia GNOME.Asia initlibiptc Initial the libiptc to fetch all current rules.
- 37. COSCUP2018 x openSUSE.Asia GNOME.Asia c c
- 38. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 39. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 40. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, we have the cache of the current rules.
- 41. COSCUP2018 x openSUSE.Asia GNOME.Asia Let We Flush Rules
- 42. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 43. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 44. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 45. COSCUP2018 x openSUSE.Asia GNOME.Asia c
- 46. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, We Have Remove Rules From Cache
- 47. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 48. COSCUP2018 x openSUSE.Asia GNOME.Asia We Commit The Change After Any Commands
- 49. COSCUP2018 x openSUSE.Asia GNOME.Asia c
- 50. COSCUP2018 x openSUSE.Asia GNOME.Asia c
- 51. COSCUP2018 x openSUSE.Asia GNOME.Asia c
- 52. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 53. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, We Have Flush The Rules.
- 54. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, Let’s See What’s The Extension
- 55. COSCUP2018 x openSUSE.Asia GNOME.Asia Custom Match Field –m tcp –dport 1234
- 56. COSCUP2018 x openSUSE.Asia GNOME.Asia Custom Target Field –j AUDIT –type accept
- 57. COSCUP2018 x openSUSE.Asia GNOME.Asia User Space Kernel Space iptables extensions netlink/system call Kernel netfilter system Network Interface Card Network Interface Card extensions extensions extensions Kernel module Kernel module Kernel module Kernel module
- 58. COSCUP2018 x openSUSE.Asia GNOME.Asia Architecture For each extension, you need to prepare two things. User-space library to parse the command. Kernel-space module to implement that function.
- 59. COSCUP2018 x openSUSE.Asia GNOME.Asia For User-Space, iptables command should know how to parse arguments.
- 60. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 61. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 62. COSCUP2018 x openSUSE.Asia GNOME.Asia Howtoread Function ○ DNAT (upper) -> target ○ tcp (lower) -> match File naming Old style ○ libipt_ -> ipv4 ○ libip6t -> ipv6 New Style ○ libxt -> ipv4/ipv6
- 63. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, We Take The Custom Match TCP as Example
- 64. COSCUP2018 x openSUSE.Asia GNOME.Asia Architecture iptables/extensions/libxt_tcp.c
- 65. COSCUP2018 x openSUSE.Asia GNOME.Asia Architecture iptables/extensions/libxt_tcp.c c
- 66. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 67. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 68. COSCUP2018 x openSUSE.Asia GNOME.Asia For Kernel-Space, There’re Some Kernel Modules In The System.
- 69. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 70. COSCUP2018 x openSUSE.Asia GNOME.Asia c
- 71. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 72. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 73. COSCUP2018 x openSUSE.Asia GNOME.Asia
- 74. COSCUP2018 x openSUSE.Asia GNOME.Asia v
- 75. COSCUP2018 x openSUSE.Asia GNOME.Asia Demo Time
- 76. COSCUP2018 x openSUSE.Asia GNOME.Asia summary The iptables system includes the user-space tool and kernel-space system. We focus on how user-space tools works today.
- 77. COSCUP2018 x openSUSE.Asia GNOME.Asia iptables iptables need a file lock to protect the rules. iptables use the library (libiptc) to control the rules via system call. You can extend the iptables by implement the extension match/target function.
- 78. COSCUP2018 x openSUSE.Asia GNOME.Asia User Space Kernel Space iptables extensions netlink/system call Kernel netfilter system Network Interface Card Network Interface Card extensions extensions extensions Kernel module Kernel module Kernel module Kernel module
- 79. COSCUP2018 x openSUSE.Asia GNOME.Asia Extenstion For each iptables extension module, you should both user-space and kernel-space. Please make sure the kernel version consistent Use—Space ○ Implement the arguments and store the data into pre-defined structure. Kernel-Space ○ Implement the match function
- 80. COSCUP2018 x openSUSE.Asia GNOME.Asia Thanks!
Login to see the comments