The document provides an overview of iptables, discussing its architecture, functionality, and usage. It explains how iptables operates with the Linux kernel, including the role of user-space tools and the importance of file locking to maintain consistency. Additionally, it covers the extension system for adding custom match and target functions in iptables.

1. Iptables1001

2. hung-weichiu
Co-organizer of SDNDS-TW
Co-organizer of CNTUUG
Linux Network/Kubernetes/SDN
You can find me at:
blog.hwchiu.com

3. How Many People Known Iptables?

4. Why Today?

5. Reference: https://en.wikipedia.org/wiki/Iptables

6. WhyWeLearn
Learn it’s architecture
Learn how to design/implement
Think more

7. User Space
Kernel Space
iptables ebtables application
netlink/system call
Kernel
netfilter system
Network
Interface Card
Network
Interface Card

8. ebtables
Setup and maintain the tables of rules.
For Ethernet frames.

9. components
Tables
Chains
Target
Match

10. Table
filter nat broute
Different functions.
Filter the
frames
Change
the MAC
Address
Make the
decision,
route/bridge

11. Chain
input
Set of rules
output prerouting postrouting brouting
Timing of frame processing
forward

12. Chain
input
Set of rules
output prerouting postrouting brouting
Timing of frame processing
forward
brouting prerouting
input
forward
output postrouting
postrouting

13. Chain
input
Set of rules
output prerouting postrouting brouting
Timing of frame processing
forward
brouting prerouting
input
forward
output postrouting
postrouting
broute nat
nat nat
natfilter
filter filter

14. Targets/Match
Targets
○ Accept
○ Drop
○ Continue
○ Return
○ Custom-Action
Match
○ Ethernet fields
○ Input interface/ARP/Vlan/Mac/…

15. iptables
Setup and maintain the tables of rules.
For internet protocol packets.
○ ipv4/ipv6

16. components
Tables
Chains
Target
Match

17. Table
filter nat raw
Different functions.
Filter the
packets
Change
the IP
Address
Handle
for non-
tracking
packets.
mangle
Change
packet
informati
on.

18. Chain
input
Set of rules
output prerouting postrouting
Timing of frame processing
forward

19. Chain
input
Set of rules
output prerouting postrouting
Timing of frame processing
forward
prerouting
input
forward
output postrouting
postrouting

20. Chain
input
Set of rules
output prerouting postrouting
Timing of frame processing
forward
prerouting
input
forward
output postrouting
postrouting
nat
nat
nat natfilter
filter
filter
raw
raw
mangle
mangle
mangle
mangle
mangle
mangle

21. Targets/Match
Targets
○ Accept
○ Drop
○ Queue
○ Return
○ Custom-Action
Match
○ Layer3 fields
○ Custom-Match

22. Reference: https://en.wikipedia.org/wiki/Iptables

23. example
Docker0
Container0 Container1
enp0s1
1. Container0 <-> Contaienr1
2. Container0 <-> Wan
10.1.14.2 10.1.14.3
10.1.14.1

24. containertocontainer
Layer2 bridging
Via the linux bridge docker0

25. TakeAnExamplec
Docker0
Container0 Container1
enp0s1
1. Container0 <-> Contaienr1
Packets
10.1.14.2 10.1.14.3
10.1.14.1

26. Reference: https://en.wikipedia.org/wiki/Iptables
ContainertoContainer

27. containertowan
Layer2 bridging
Via the linux bridge docker0
Layer3 routing
Via the linux kernel network stack.

28. TakeAnExamplec
Docker0
Container0 Container1
enp0s1
1. Container0 <-> Wan
Packets
10.1.14.2 10.1.14.3
10.1.14.1

29. Reference: https://en.wikipedia.org/wiki/Iptables
Containertowan

30. TakeAnExamplec
Docker0
Container0 Container1
enp0s1
1. Container0 <-> Wan

31. Reference: https://en.wikipedia.org/wiki/Iptables
wantocontainer

32. Now, Let’s Discuss The Usage Of
iptables.

33. iptables, a command-line tool

34. iptables
Home:
○ https://www.netfilter.org/downloads.ht
ml
Git
○ git://git.netfilter.org/iptables.git

35. Do You Have Meet The Following
Message?

36. Another app is currently holding
the xtables lock. Perhaps you
want to use the -w option?

37. Whathappen
iptables command needs a
communication between user and
kernel space.
It need a lock to make sure the
consistence
iptables will exit if it can’t acquire the
lock by default.
Use the –w option to wait the lock.

38. Let Read The Source Code

41. v
v

43. So, We Know The Iptables Use The File
Lock

44. Now, Let We Learn How To Flush The
Rules.

45. c
c
c

46. First, we need to know how iptables
works with kernel?

47. libiptc

48. libiptc
Library which manipulates firewall
rules
Use the system call to interact with
kernel
○ GetSocketOpt
○ SetSocketOpt
Maintain a cache for each iptables
command.

49. workflows
Initial the libiptc to fetch all current
rules.
Store those rules into a local cache
Operates rules in that cache
Commit the change to the kernel.

50. workflows
Initial the libiptc to fetch all current
rules.
In the iptables, we use a handle
(xtc_handle) to represent the cache.

51. initlibiptc
Initial the libiptc to fetch all current
rules.

52. c
c

55. Now, we have the cache of the current
rules.

56. Let We Flush Rules

60. c

61. Now, We Have Remove Rules From
Cache

63. We Commit The Change After Any
Commands

64. c

65. c

66. c

68. Now, We Have Flush The Rules.

69. Now, Let’s See What’s The Extension

70. Custom Match Field
–m tcp –dport 1234

71. Custom Target Field
–j AUDIT –type accept

72. User Space
Kernel Space
iptables
extensions
netlink/system call
Kernel
netfilter system
Network
Interface Card
Network
Interface Card
extensions
extensions
extensions
Kernel module
Kernel module
Kernel module
Kernel module

73. Architecture
For each extension, you need to
prepare two things.
User-space library to parse the
command.
Kernel-space module to implement
that function.

74. For User-Space, iptables command
should know how to parse arguments.

77. Howtoread
Function
○ DNAT (upper) -> target
○ tcp (lower) -> match
File naming
Old style
○ libipt_ -> ipv4
○ libip6t -> ipv6
New Style
○ libxt -> ipv4/ipv6

78. Now, We Take The Custom Match TCP
as Example

79. Architecture
iptables/extensions/libxt_tcp.c

80. Architecture
iptables/extensions/libxt_tcp.c
c

83. For Kernel-Space, There’re Some
Kernel Modules In The System.

85. c

89. v

90. summary
The iptables system includes the
user-space tool and kernel-space
system.
We focus on how user-space tools
works today.

91. iptables
iptables need a file lock to protect the
rules.
iptables use the library (libiptc) to
control the rules via system call.
You can extend the iptables by
implement the extension
match/target function.

92. User Space
Kernel Space
iptables
extensions
netlink/system call
Kernel
netfilter system
Network
Interface Card
Network
Interface Card
extensions
extensions
extensions
Kernel module
Kernel module
Kernel module
Kernel module

93. Extenstion
For each iptables extension module,
you should both user-space and
kernel-space.
Please make sure the kernel version
consistent
Use—Space
○ Implement the arguments and store the
data into pre-defined structure.
Kernel-Space
○ Implement the match function

94. Thanks!