Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

Understand the iptables step by step Slide 1 Understand the iptables step by step Slide 2 Understand the iptables step by step Slide 3 Understand the iptables step by step Slide 4 Understand the iptables step by step Slide 5 Understand the iptables step by step Slide 6 Understand the iptables step by step Slide 7 Understand the iptables step by step Slide 8 Understand the iptables step by step Slide 9 Understand the iptables step by step Slide 10 Understand the iptables step by step Slide 11 Understand the iptables step by step Slide 12 Understand the iptables step by step Slide 13 Understand the iptables step by step Slide 14 Understand the iptables step by step Slide 15 Understand the iptables step by step Slide 16 Understand the iptables step by step Slide 17 Understand the iptables step by step Slide 18 Understand the iptables step by step Slide 19 Understand the iptables step by step Slide 20 Understand the iptables step by step Slide 21 Understand the iptables step by step Slide 22 Understand the iptables step by step Slide 23 Understand the iptables step by step Slide 24 Understand the iptables step by step Slide 25 Understand the iptables step by step Slide 26 Understand the iptables step by step Slide 27 Understand the iptables step by step Slide 28 Understand the iptables step by step Slide 29 Understand the iptables step by step Slide 30 Understand the iptables step by step Slide 31 Understand the iptables step by step Slide 32 Understand the iptables step by step Slide 33 Understand the iptables step by step Slide 34 Understand the iptables step by step Slide 35 Understand the iptables step by step Slide 36 Understand the iptables step by step Slide 37 Understand the iptables step by step Slide 38 Understand the iptables step by step Slide 39 Understand the iptables step by step Slide 40 Understand the iptables step by step Slide 41 Understand the iptables step by step Slide 42 Understand the iptables step by step Slide 43 Understand the iptables step by step Slide 44 Understand the iptables step by step Slide 45 Understand the iptables step by step Slide 46 Understand the iptables step by step Slide 47 Understand the iptables step by step Slide 48 Understand the iptables step by step Slide 49 Understand the iptables step by step Slide 50 Understand the iptables step by step Slide 51 Understand the iptables step by step Slide 52 Understand the iptables step by step Slide 53 Understand the iptables step by step Slide 54 Understand the iptables step by step Slide 55 Understand the iptables step by step Slide 56 Understand the iptables step by step Slide 57 Understand the iptables step by step Slide 58 Understand the iptables step by step Slide 59 Understand the iptables step by step Slide 60 Understand the iptables step by step Slide 61 Understand the iptables step by step Slide 62 Understand the iptables step by step Slide 63 Understand the iptables step by step Slide 64 Understand the iptables step by step Slide 65 Understand the iptables step by step Slide 66 Understand the iptables step by step Slide 67 Understand the iptables step by step Slide 68 Understand the iptables step by step Slide 69 Understand the iptables step by step Slide 70 Understand the iptables step by step Slide 71 Understand the iptables step by step Slide 72 Understand the iptables step by step Slide 73 Understand the iptables step by step Slide 74 Understand the iptables step by step Slide 75 Understand the iptables step by step Slide 76 Understand the iptables step by step Slide 77 Understand the iptables step by step Slide 78 Understand the iptables step by step Slide 79 Understand the iptables step by step Slide 80
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

Understand the iptables step by step

Download to read offline

Show how does the iptables works and use the source code to explain the workflow of iptables step by step. including the file-lock, the system call and the related command of iptables rules.
In the last, I also show the architecture of the iptables extension and use the demo to show how to write your own iptables modules.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Understand the iptables step by step

  1. 1. Iptables101 coscup-2018
  2. 2. COSCUP2018 x openSUSE.Asia GNOME.Asia I am Hung-Wei Chiu Co-organizer of SDNDS-TW Co-organizer of CNTUUG I love Linux Network/Kubernetes/SDN You can find me at: blog.hwchiu.com
  3. 3. COSCUP2018 x openSUSE.Asia GNOME.Asia How Many People Known Iptables?
  4. 4. COSCUP2018 x openSUSE.Asia GNOME.Asia Network Interface Card PREROUUTING Network Interface Card POSTROUUTING INPUT OUTPUT INPUT OUTPUT FORWARDRouting Routing LOCAL PROCESS DNAT
  5. 5. COSCUP2018 x openSUSE.Asia GNOME.Asia We Don’t Focus On Those Table/Chain Today
  6. 6. COSCUP2018 x openSUSE.Asia GNOME.Asia User Space Kernel Space iptables ebtables application netlink/system call Kernel netfilter system Network Interface Card Network Interface Card
  7. 7. COSCUP2018 x openSUSE.Asia GNOME.Asia iptables, a command-line tool
  8. 8. COSCUP2018 x openSUSE.Asia GNOME.Asia iptables Home: ○ https://www.netfilter.org/downloads.ht ml Git ○ git://git.netfilter.org/iptables.git
  9. 9. COSCUP2018 x openSUSE.Asia GNOME.Asia We Focus On What Will Happen For Each Command
  10. 10. COSCUP2018 x openSUSE.Asia GNOME.Asia Do You Have Meet The Following Message?
  11. 11. COSCUP2018 x openSUSE.Asia GNOME.Asia Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
  12. 12. COSCUP2018 x openSUSE.Asia GNOME.Asia Whathappen iptables command needs a communication between user and kernel space. It need a lock to make sure the consistence iptables will exit if it can’t acquire the lock by default. Use the –w option to wait the lock.
  13. 13. COSCUP2018 x openSUSE.Asia GNOME.Asia Let Read The Source Code
  14. 14. COSCUP2018 x openSUSE.Asia GNOME.Asia
  15. 15. COSCUP2018 x openSUSE.Asia GNOME.Asia
  16. 16. COSCUP2018 x openSUSE.Asia GNOME.Asia v v
  17. 17. COSCUP2018 x openSUSE.Asia GNOME.Asia
  18. 18. COSCUP2018 x openSUSE.Asia GNOME.Asia So, We Know The Iptables Use The File Lock
  19. 19. COSCUP2018 x openSUSE.Asia GNOME.Asia Do You Meet The Duplicated Rules ?
  20. 20. COSCUP2018 x openSUSE.Asia GNOME.Asia
  21. 21. COSCUP2018 x openSUSE.Asia GNOME.Asia How Could We Solve This?
  22. 22. COSCUP2018 x openSUSE.Asia GNOME.Asia solution Custom chain ○ Use the ‘-F’ to flush all rules. Check before inserting rule ○ Use the ‘-C’ to check. Modify the iptables to avoid duplicated rules.
  23. 23. COSCUP2018 x openSUSE.Asia GNOME.Asia
  24. 24. COSCUP2018 x openSUSE.Asia GNOME.Asia How Could We Solve This?
  25. 25. COSCUP2018 x openSUSE.Asia GNOME.Asia
  26. 26. COSCUP2018 x openSUSE.Asia GNOME.Asia
  27. 27. COSCUP2018 x openSUSE.Asia GNOME.Asia
  28. 28. COSCUP2018 x openSUSE.Asia GNOME.Asia
  29. 29. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, Let We Learn How To Flush The Rules.
  30. 30. COSCUP2018 x openSUSE.Asia GNOME.Asia c c c
  31. 31. COSCUP2018 x openSUSE.Asia GNOME.Asia First, we need to know how iptables works with kernel?
  32. 32. COSCUP2018 x openSUSE.Asia GNOME.Asia libiptc
  33. 33. COSCUP2018 x openSUSE.Asia GNOME.Asia libiptc Library which manipulates firewall rules Use the system call to interact with kernel ○ GetSocketOpt ○ SetSocketOpt Maintain a cache for each iptables command.
  34. 34. COSCUP2018 x openSUSE.Asia GNOME.Asia workflows Initial the libiptc to fetch all current rules. Store those rules into a local cache Operates rules in that cache Commit the change to the kernel.
  35. 35. COSCUP2018 x openSUSE.Asia GNOME.Asia workflows Initial the libiptc to fetch all current rules. In the iptables, we use a handle (xtc_handle) to represent the cache.
  36. 36. COSCUP2018 x openSUSE.Asia GNOME.Asia initlibiptc Initial the libiptc to fetch all current rules.
  37. 37. COSCUP2018 x openSUSE.Asia GNOME.Asia c c
  38. 38. COSCUP2018 x openSUSE.Asia GNOME.Asia
  39. 39. COSCUP2018 x openSUSE.Asia GNOME.Asia
  40. 40. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, we have the cache of the current rules.
  41. 41. COSCUP2018 x openSUSE.Asia GNOME.Asia Let We Flush Rules
  42. 42. COSCUP2018 x openSUSE.Asia GNOME.Asia
  43. 43. COSCUP2018 x openSUSE.Asia GNOME.Asia
  44. 44. COSCUP2018 x openSUSE.Asia GNOME.Asia
  45. 45. COSCUP2018 x openSUSE.Asia GNOME.Asia c
  46. 46. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, We Have Remove Rules From Cache
  47. 47. COSCUP2018 x openSUSE.Asia GNOME.Asia
  48. 48. COSCUP2018 x openSUSE.Asia GNOME.Asia We Commit The Change After Any Commands
  49. 49. COSCUP2018 x openSUSE.Asia GNOME.Asia c
  50. 50. COSCUP2018 x openSUSE.Asia GNOME.Asia c
  51. 51. COSCUP2018 x openSUSE.Asia GNOME.Asia c
  52. 52. COSCUP2018 x openSUSE.Asia GNOME.Asia
  53. 53. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, We Have Flush The Rules.
  54. 54. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, Let’s See What’s The Extension
  55. 55. COSCUP2018 x openSUSE.Asia GNOME.Asia Custom Match Field –m tcp –dport 1234
  56. 56. COSCUP2018 x openSUSE.Asia GNOME.Asia Custom Target Field –j AUDIT –type accept
  57. 57. COSCUP2018 x openSUSE.Asia GNOME.Asia User Space Kernel Space iptables extensions netlink/system call Kernel netfilter system Network Interface Card Network Interface Card extensions extensions extensions Kernel module Kernel module Kernel module Kernel module
  58. 58. COSCUP2018 x openSUSE.Asia GNOME.Asia Architecture For each extension, you need to prepare two things. User-space library to parse the command. Kernel-space module to implement that function.
  59. 59. COSCUP2018 x openSUSE.Asia GNOME.Asia For User-Space, iptables command should know how to parse arguments.
  60. 60. COSCUP2018 x openSUSE.Asia GNOME.Asia
  61. 61. COSCUP2018 x openSUSE.Asia GNOME.Asia
  62. 62. COSCUP2018 x openSUSE.Asia GNOME.Asia Howtoread Function ○ DNAT (upper) -> target ○ tcp (lower) -> match File naming Old style ○ libipt_ -> ipv4 ○ libip6t -> ipv6 New Style ○ libxt -> ipv4/ipv6
  63. 63. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, We Take The Custom Match TCP as Example
  64. 64. COSCUP2018 x openSUSE.Asia GNOME.Asia Architecture iptables/extensions/libxt_tcp.c
  65. 65. COSCUP2018 x openSUSE.Asia GNOME.Asia Architecture iptables/extensions/libxt_tcp.c c
  66. 66. COSCUP2018 x openSUSE.Asia GNOME.Asia
  67. 67. COSCUP2018 x openSUSE.Asia GNOME.Asia
  68. 68. COSCUP2018 x openSUSE.Asia GNOME.Asia For Kernel-Space, There’re Some Kernel Modules In The System.
  69. 69. COSCUP2018 x openSUSE.Asia GNOME.Asia
  70. 70. COSCUP2018 x openSUSE.Asia GNOME.Asia c
  71. 71. COSCUP2018 x openSUSE.Asia GNOME.Asia
  72. 72. COSCUP2018 x openSUSE.Asia GNOME.Asia
  73. 73. COSCUP2018 x openSUSE.Asia GNOME.Asia
  74. 74. COSCUP2018 x openSUSE.Asia GNOME.Asia v
  75. 75. COSCUP2018 x openSUSE.Asia GNOME.Asia Demo Time
  76. 76. COSCUP2018 x openSUSE.Asia GNOME.Asia summary The iptables system includes the user-space tool and kernel-space system. We focus on how user-space tools works today.
  77. 77. COSCUP2018 x openSUSE.Asia GNOME.Asia iptables iptables need a file lock to protect the rules. iptables use the library (libiptc) to control the rules via system call. You can extend the iptables by implement the extension match/target function.
  78. 78. COSCUP2018 x openSUSE.Asia GNOME.Asia User Space Kernel Space iptables extensions netlink/system call Kernel netfilter system Network Interface Card Network Interface Card extensions extensions extensions Kernel module Kernel module Kernel module Kernel module
  79. 79. COSCUP2018 x openSUSE.Asia GNOME.Asia Extenstion For each iptables extension module, you should both user-space and kernel-space. Please make sure the kernel version consistent Use—Space ○ Implement the arguments and store the data into pre-defined structure. Kernel-Space ○ Implement the match function
  80. 80. COSCUP2018 x openSUSE.Asia GNOME.Asia Thanks!

Show how does the iptables works and use the source code to explain the workflow of iptables step by step. including the file-lock, the system call and the related command of iptables rules. In the last, I also show the architecture of the iptables extension and use the demo to show how to write your own iptables modules.

Views

Total views

547

On Slideshare

0

From embeds

0

Number of embeds

1

Actions

Downloads

41

Shares

0

Comments

0

Likes

0

×