1.
Iptables101
coscup-2018

2.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
I am Hung-Wei Chiu
Co-organizer of SDNDS-TW
Co-organizer of CNTUUG
I love
Linux Network/Kubernetes/SDN
You can find me at:
blog.hwchiu.com

3.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
How Many People Known Iptables?

4.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Network
Interface Card
PREROUUTING
Network
Interface Card
POSTROUUTING
INPUT OUTPUT
INPUT OUTPUT
FORWARDRouting Routing
LOCAL PROCESS
DNAT

5.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
We Don’t Focus On Those Table/Chain
Today

6.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
User Space
Kernel Space
iptables ebtables application
netlink/system call
Kernel
netfilter system
Network
Interface Card
Network
Interface Card

7.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
iptables, a command-line tool

8.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
iptables
Home:
○ https://www.netfilter.org/downloads.ht
ml
Git
○ git://git.netfilter.org/iptables.git

9.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
We Focus On What Will Happen For
Each Command

10.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Do You Have Meet The Following
Message?

11.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Another app is currently holding
the xtables lock. Perhaps you
want to use the -w option?

12.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Whathappen
iptables command needs a
communication between user and
kernel space.
It need a lock to make sure the
consistence
iptables will exit if it can’t acquire the
lock by default.
Use the –w option to wait the lock.

13.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Let Read The Source Code

14.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

15.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

16.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
v
v

17.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

18.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
So, We Know The Iptables Use The File
Lock

19.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Do You Meet The Duplicated Rules ?

20.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

21.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
How Could We Solve This?

22.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
solution
Custom chain
○ Use the ‘-F’ to flush all rules.
Check before inserting rule
○ Use the ‘-C’ to check.
Modify the iptables to avoid
duplicated rules.

23.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

24.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
How Could We Solve This?

25.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

26.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

27.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

28.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

29.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Now, Let We Learn How To Flush The
Rules.

30.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
c
c
c

31.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
First, we need to know how iptables
works with kernel?

32.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
libiptc

33.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
libiptc
Library which manipulates firewall
rules
Use the system call to interact with
kernel
○ GetSocketOpt
○ SetSocketOpt
Maintain a cache for each iptables
command.

34.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
workflows
Initial the libiptc to fetch all current
rules.
Store those rules into a local cache
Operates rules in that cache
Commit the change to the kernel.

35.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
workflows
Initial the libiptc to fetch all current
rules.
In the iptables, we use a handle
(xtc_handle) to represent the cache.

36.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
initlibiptc
Initial the libiptc to fetch all current
rules.

37.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
c
c

38.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

39.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

40.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Now, we have the cache of the current
rules.

41.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Let We Flush Rules

42.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

43.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

44.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

45.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
c

46.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Now, We Have Remove Rules From
Cache

47.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

48.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
We Commit The Change After Any
Commands

49.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
c

50.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
c

51.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
c

52.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

53.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Now, We Have Flush The Rules.

54.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Now, Let’s See What’s The Extension

55.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Custom Match Field
–m tcp –dport 1234

56.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Custom Target Field
–j AUDIT –type accept

57.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
User Space
Kernel Space
iptables
extensions
netlink/system call
Kernel
netfilter system
Network
Interface Card
Network
Interface Card
extensions
extensions
extensions
Kernel module
Kernel module
Kernel module
Kernel module

58.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Architecture
For each extension, you need to
prepare two things.
User-space library to parse the
command.
Kernel-space module to implement
that function.

59.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
For User-Space, iptables command
should know how to parse arguments.

60.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

61.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

62.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Howtoread
Function
○ DNAT (upper) -> target
○ tcp (lower) -> match
File naming
Old style
○ libipt_ -> ipv4
○ libip6t -> ipv6
New Style
○ libxt -> ipv4/ipv6

63.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Now, We Take The Custom Match TCP
as Example

64.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Architecture
iptables/extensions/libxt_tcp.c

65.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Architecture
iptables/extensions/libxt_tcp.c
c

66.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

67.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

68.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
For Kernel-Space, There’re Some
Kernel Modules In The System.

69.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

70.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
c

71.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

72.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

73.
COSCUP2018
x
openSUSE.Asia GNOME.Asia

74.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
v

75.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Demo Time

76.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
summary
The iptables system includes the
user-space tool and kernel-space
system.
We focus on how user-space tools
works today.

77.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
iptables
iptables need a file lock to protect the
rules.
iptables use the library (libiptc) to
control the rules via system call.
You can extend the iptables by
implement the extension
match/target function.

78.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
User Space
Kernel Space
iptables
extensions
netlink/system call
Kernel
netfilter system
Network
Interface Card
Network
Interface Card
extensions
extensions
extensions
Kernel module
Kernel module
Kernel module
Kernel module

79.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Extenstion
For each iptables extension module,
you should both user-space and
kernel-space.
Please make sure the kernel version
consistent
Use—Space
○ Implement the arguments and store the
data into pre-defined structure.
Kernel-Space
○ Implement the match function

80.
COSCUP2018
x
openSUSE.Asia GNOME.Asia
Thanks!