A brief overview of how the ubiquitous 'iptables' command works, under the hood. This is by no means complete, and is intended as a primer. I presented these slides in addition to an interactive demo as a guest lecturer at a computer network security class at DePaul University, Chicago IL.
4. ● Kernel handles TCP/IP traffic, with some exceptions (beyond scope of this talk)
● TCP/IP stack is complicated, and absolutely critical to the functioning of OS
○ Stack located within the kernel, NOT USERSPACE
○ Will not cover every detail here -- sorry!
● Some Subroutines and System Calls - EGRESS
○ Layer 5 - write(), sendto(), sendmsg() -- all can send data over network, syscalls
○ Layer 4 - tcp_sendmsg (see tcp.c kernel source code) -- can emit data frames at appropriate time
○ Layer 3
■ ip_queue_xmit() - routing, create IPv4 header
■ nf_hook() - performs network filtering
■ ip_output() - performs post-routing filtering
○ Layer 2 - primarily looking at queueing packets / discipline (qdisc)
Network Fundamentals
Credit: The Linux Foundation
5. ● Some Subroutines and System Calls - INGRESS
○ Layer 2 - netif_receive_skb() --- feeds a packet into the kernel
○ Layer 3
■ ARP - arp_rcv()
■ IP - ip_rcv()
○ Layer 4
■ TCP - tcp_v4_rcv()
○ Layer 5 - read(), rcvfrom(), recvmsg() - syscalls, receive data from network
Network Fundamentals
Credit: The Linux Foundation
10. Network Administration
● Network Information
○ ip route show displays host-based routing tables
○ ip address show displays L3 information
○ ip link show displays L2 information
● Socket Information
○ ss -tanup displays socket information
● Others*
○ route, netstat -rn displays host-based routing tables
○ ifconfig -a displays all available network interfaces
○ netstat -tulpn displays socket information
* some deprecated due to reliance on net-tools, which is deprecated
11. ● Static Network Configuration (Temporary)
○ ip route add default via <ip_addr> add default route
○ ip address add <ip_addr> dev <dev> add l3 ip address
● Static Network Configuration (Persistent, RHEL-derivatives)
○ /etc/sysconfig/network global nic configuration
○ /etc/sysconfig/network-scripts/ifcfg-* per-nic configuration
● Static Network Configuration (Persistent, Debian-derivatives)
○ /etc/network/interfaces global nic configuration
○ /etc/network/interfaces.d/<nic>.cfg per-nic configuration
● Others*
○ route add default via <ip_addr>
○ ifconfig <dev> <ip_addr>
Network Administration
12. Network Administration
● DNS Configuration
○ /etc/resolv.conf resolver configuration, getnameinfo()
○ /etc/nsswitch.conf service provider -name service switch per category defs
○ /etc/hosts service provider - for instance consumed by dnsmasq for A records
14. IPTables Fundamentals
● What is iptables?
○ iptables is a generic table structure for the definition of rulesets.
○ Each rule within an IP table consists of a number of
■ Classifiers (iptables matches)
■ And one connected action (iptables target)
● Kernel module is netfilter
○ Must be loaded into the kernel (2.4.X+)
○ Performs stateless and stateful network filtering
● Consists of three tables
○ Mangle - handle special packets
○ NAT - perform network address translation for network behind the server
○ Filter - perform packet filtering for the server itself
● Each table can have >= 1 chain
● IPTables can forward packets, perform NAT
○ More network route/switch gear becoming Linux/UNIX based (i.e. Arista, Cumulus Networks)
Credit: netfilter project, NTU CSIE
15. Tangent - OCP Switches
Credit: OCP/Facebook, James R. Hamilton
Cumulus NetworksFacebook 6-Pack (40GE)
16. IPTables Fundamentals
● Three Tables
○ Mangle - handle special packets
■ INPUT - Ingress network traffic
■ OUTPUT - Egress network traffic
■ FORWARD - Forward to network behind server
○ NAT - perform network address translation for network behind the server
■ PREROUTING - Rules PRIOR to routing decision
■ POSTROUTING - Rules AFTER the routing decision
■ OUTPUT - Rules for transmitted packets
○ Filter - perform packet filtering for the server itself
● Targets, Jumps
○ Handle packet that is a perfect match with match section of the rule
○ Target Examples: ACCEPT, DROP, CLASSIFY (qdisc), CLUSTERIP, DNAT/SNAT, DCSP/ECN
Credit: NTU CSIE
17. IPTables Fundamentals
● Connection Tracking
○ Not a state machine, but people refer to this anyways
○ Facilitated by conntrack
■ Can be a kernel module
■ Can just internal to the kernel
○ Userland States: NEW, ESTABLISHED, RELATED, INVALID, UNTRACKED
● Commands for conntrack
○ If ip_conntrack kernel module loaded
■ /proc/net/ip_conntrack
Credit: University of New Hampshire, Computer Science Department