[2019.01.12] hst iptables 101 to 301
•
7 likes•798 views
This document provides an overview of iptables and nftables. Iptables is a user-space tool that controls netfilter, the Linux kernel module for network packet filtering and network address translation (NAT). It operates on tables, chains, and rules to filter packets. Nftables is the newer replacement for iptables that offers a more concise syntax without default tables or chains. It is based on network families and uses expressions, statements, and sets to filter packets as they pass through hooks and chains.
More Related Content
What's hot
What's hot (20)
Similar to [2019.01.12] hst iptables 101 to 301
Similar to [2019.01.12] hst iptables 101 to 301 (20)
More from Chia-Hao Tsai
More from Chia-Hao Tsai (19)
Recently uploaded
Recently uploaded (20)
[2019.01.12] hst iptables 101 to 301
- 1. iptables 101 to 301 cmj @ HST 2019-01
- 2. iptables • user-space command line tool • control netfilter - the linux kernel module (LKM) • netfilter • NAT (Net Address Translation) • Filter • … etc
- 4. iptables • iptables [-t table] -OP CHAIN STATEMENT • Table • Chain • Operation • Statement
- 5. iptables table • filter - the default table • INPUT / FORWARD / OUTPUT • nat • PREROUTING / INPUT / POSTROUTING • mangle - modify or mark packet • PREROUTING / OUTPUT / INPUT / FORWARD / POSTROUTING • raw - conntrack • security - Internal SELinux security context
- 7. iptables table (cont’) • Packet pass-throw the TABLE and CHAIN • CHAIN has priority • PREROUTING - FORWARD - POSTROUTING • PREROUTING - INPUT - OUTPUT - POSTROUTING • TABLE also has priority • Raw - Mangle - NAT - Filter
- 9. iptables parameters • Protocol - TCP / UDP / ICMP / … etc • Source / Destination (with mack) • Port • In-interface / out-interface • Fragment • Counter • … etc
- 10. iptables statement • Can do action for each / some packet on chain • ACCEPT (allow the packet) • DROP (ignore the packet) • REJECT (not allow and send an error back) • RETURN (stop traveling through the chain/sub-chain) • REDIRECT (redirect packet machine itself) • Jump / Goto (packet to another chain, RETURN to Jump or STOP) • SNAT / DNAT / MASQUERADE (used on NAT flow) • LOG / ULOG (log packet customized information) • … etc
- 11. Final Rule • In one TABLE you decide to do some VERDICT at specified CHAIN • Not all chain used on some table • Not all statement can do in some chain • Can we filter-out the packet in FILTER / PREROUTING ? • https://serverfault.com/questions/862073/linux-iptables-why- there-is-no-prerouting-hook-in-the-filter-table • Because it wouldn’t make sense there …
- 12. HARD to LEARN
- 15. nftables • After linux-kernel 3.13 • More concise • No default table / chain / rule • Performance gain : from ARRAY to Link-List
- 16. Table • Based on family • ip (default) / ip6 / inet / arp / bridge / netdev • inet both worker for filter on ip and ip6 • bridge for the bridge device • netdev handle packets from ingress • # nft add table FAMILY TABLE
- 17. Chain / Hook • Default policy for the chain • # ntf add chain [FAIMLY] TABLE CHAIN
- 18. Chain / Hook • Hook • PREROUTING / INPUT / OUTPUT / FORWARD / POSTROUTING / INGRESS • ip / ip6 / arp / bridge support from PREROUTING to POSTROUTING • arp support INPUT / OUTPUT • netdev support INGRESS which work before PREROUTING • # ntf add chain [FAIMLY] TABLE CHAIN { type TYPE hook HOOK ; policy POLICY ; }
- 19. Rule • Rule are constructed from expressions and statements • expression is same as parameter in iptables • statement is same as verdict in iptables • Extra policy for the CHAIN • # nft add rule [FAMILY] TABLE CHAIN [ { … } ] statement
- 20. Expression • meta expression • length / nfproto / protocol / iifname / cpu / … etc • fib (forward information meta) expression • oif / oifname / type • rt (routing) expression • classid (routing realm) / nexthop / mtu • Payload expression • ether / vlan / arp / … etc
- 21. Statement • Type • filter / nat / route • Statement • ACCEPT / DROP / … etc • Priority • Give a SIGN INTEGER • # nft add rule [FAMILY] TABLE CHAIN EXPRESSION STATEMENT
- 22. Example • # nft add rule inet filter tcp tcp dport 53 accept • # net add rule net filter input iif lo drop • # net add rule route output mark set 123
- 23. Sets • Two set concepts: anonymous and named • # net add rule filter input tcp dport {22, 443} accept • Named set • # net add set TABLE SET { … } • @SET
- 24. Load from Config • # nft -f • The shebang is #!/usr/sbin/nft -f
- 25. Handbook • Official wiki • https://wiki.nftables.org/wiki-nftables/index.php/ Quick_reference-nftables_in_10_minutes