SlideShare a Scribd company logo

Linux Network Filtering

James Daniel
James Daniel

A brief overview of how the ubiquitous 'iptables' command works, under the hood. This is by no means complete, and is intended as a primer. I presented these slides in addition to an interactive demo as a guest lecturer at a computer network security class at DePaul University, Chicago IL.

Technology
1 of 22
Download to read offline
Linux Networks & Filtering James Daniel 2017-09-21
Overview ● Linux Networking Overview ● Linux Network Administration ● IPTables
Linux Networking Overview
● Kernel handles TCP/IP traffic, with some exceptions (beyond scope of this talk) ● TCP/IP stack is complicated, and absolutely critical to the functioning of OS ○ Stack located within the kernel, NOT USERSPACE ○ Will not cover every detail here -- sorry! ● Some Subroutines and System Calls - EGRESS ○ Layer 5 - write(), sendto(), sendmsg() -- all can send data over network, syscalls ○ Layer 4 - tcp_sendmsg (see tcp.c kernel source code) -- can emit data frames at appropriate time ○ Layer 3 ■ ip_queue_xmit() - routing, create IPv4 header ■ nf_hook() - performs network filtering ■ ip_output() - performs post-routing filtering ○ Layer 2 - primarily looking at queueing packets / discipline (qdisc) Network Fundamentals Credit: The Linux Foundation
● Some Subroutines and System Calls - INGRESS ○ Layer 2 - netif_receive_skb() --- feeds a packet into the kernel ○ Layer 3 ■ ARP - arp_rcv() ■ IP - ip_rcv() ○ Layer 4 ■ TCP - tcp_v4_rcv() ○ Layer 5 - read(), rcvfrom(), recvmsg() - syscalls, receive data from network Network Fundamentals Credit: The Linux Foundation
Network Fundamentals Credit: University of New Hampshire, Computer Science Department
Network Fundamentals Credit: Wikipedia
Network Fundamentals Credit: Pranesh Santikellur
Linux Networking Administration
Network Administration ● Network Information ○ ip route show displays host-based routing tables ○ ip address show displays L3 information ○ ip link show displays L2 information ● Socket Information ○ ss -tanup displays socket information ● Others* ○ route, netstat -rn displays host-based routing tables ○ ifconfig -a displays all available network interfaces ○ netstat -tulpn displays socket information * some deprecated due to reliance on net-tools, which is deprecated
● Static Network Configuration (Temporary) ○ ip route add default via <ip_addr> add default route ○ ip address add <ip_addr> dev <dev> add l3 ip address ● Static Network Configuration (Persistent, RHEL-derivatives) ○ /etc/sysconfig/network global nic configuration ○ /etc/sysconfig/network-scripts/ifcfg-* per-nic configuration ● Static Network Configuration (Persistent, Debian-derivatives) ○ /etc/network/interfaces global nic configuration ○ /etc/network/interfaces.d/<nic>.cfg per-nic configuration ● Others* ○ route add default via <ip_addr> ○ ifconfig <dev> <ip_addr> Network Administration
Network Administration ● DNS Configuration ○ /etc/resolv.conf resolver configuration, getnameinfo() ○ /etc/nsswitch.conf service provider -name service switch per category defs ○ /etc/hosts service provider - for instance consumed by dnsmasq for A records
IPTables
IPTables Fundamentals ● What is iptables? ○ iptables is a generic table structure for the definition of rulesets. ○ Each rule within an IP table consists of a number of ■ Classifiers (iptables matches) ■ And one connected action (iptables target) ● Kernel module is netfilter ○ Must be loaded into the kernel (2.4.X+) ○ Performs stateless and stateful network filtering ● Consists of three tables ○ Mangle - handle special packets ○ NAT - perform network address translation for network behind the server ○ Filter - perform packet filtering for the server itself ● Each table can have >= 1 chain ● IPTables can forward packets, perform NAT ○ More network route/switch gear becoming Linux/UNIX based (i.e. Arista, Cumulus Networks) Credit: netfilter project, NTU CSIE
Tangent - OCP Switches Credit: OCP/Facebook, James R. Hamilton Cumulus NetworksFacebook 6-Pack (40GE)
IPTables Fundamentals ● Three Tables ○ Mangle - handle special packets ■ INPUT - Ingress network traffic ■ OUTPUT - Egress network traffic ■ FORWARD - Forward to network behind server ○ NAT - perform network address translation for network behind the server ■ PREROUTING - Rules PRIOR to routing decision ■ POSTROUTING - Rules AFTER the routing decision ■ OUTPUT - Rules for transmitted packets ○ Filter - perform packet filtering for the server itself ● Targets, Jumps ○ Handle packet that is a perfect match with match section of the rule ○ Target Examples: ACCEPT, DROP, CLASSIFY (qdisc), CLUSTERIP, DNAT/SNAT, DCSP/ECN Credit: NTU CSIE
IPTables Fundamentals ● Connection Tracking ○ Not a state machine, but people refer to this anyways ○ Facilitated by conntrack ■ Can be a kernel module ■ Can just internal to the kernel ○ Userland States: NEW, ESTABLISHED, RELATED, INVALID, UNTRACKED ● Commands for conntrack ○ If ip_conntrack kernel module loaded ■ /proc/net/ip_conntrack Credit: University of New Hampshire, Computer Science Department
IPTables Fundamentals Credit: iptables.info
IPTables Fundamentals ● ip_conntrack example (cat /proc/net/ip_conntrack) tcp 6 117 SYN_SENT src=192.168.1.6 dst=192.168.1.9 sport=32775 dport=22 [UNREPLIED] src=192.168.1.9 dst=192.168.1.6 sport=22 dport=32775 [ASSURED] use=2 Credit: iptables.info
IPTables Fundamentals Credit: Advanced Internet Technologies
IPTables Fundamentals Credit: NTU CSIE
IPTables Commands ● IPTables Basic Args ○ -L = list all chains; -A append to a chain, -P ● Default Policy ○ iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP ● Ingress Filter by Protocol (Example: ICMP Pings) ○ iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT ● Egress Filter by Protocol (Example: ICMP Pings) ○ iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Recommended

NetCat - the suiss army knife of network
NetCat - the suiss army knife of networkNetCat - the suiss army knife of network
NetCat - the suiss army knife of networkMehdi Djoughi
 
Tc basics
Tc basicsTc basics
Tc basicsjeromy fu
 
NS3 Tech Talk
NS3 Tech TalkNS3 Tech Talk
NS3 Tech TalkRodrigo Melo
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic ControlSUSE Labs Taipei
 
Network emulator
Network emulatorNetwork emulator
Network emulatorjeromy fu
 
BKK16-304 The State of GDB on AArch64
BKK16-304 The State of GDB on AArch64BKK16-304 The State of GDB on AArch64
BKK16-304 The State of GDB on AArch64Linaro
 
Building Topology in NS3
Building Topology in NS3Building Topology in NS3
Building Topology in NS3Rahul Hada
 
1 session installation
1 session installation1 session installation
1 session installationRahul Hada
 

Recommended

NetCat - the suiss army knife of network
NetCat - the suiss army knife of networkNetCat - the suiss army knife of network
NetCat - the suiss army knife of networkMehdi Djoughi
 
Tc basics
Tc basicsTc basics
Tc basicsjeromy fu
 
NS3 Tech Talk
NS3 Tech TalkNS3 Tech Talk
NS3 Tech TalkRodrigo Melo
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic ControlSUSE Labs Taipei
 
Network emulator
Network emulatorNetwork emulator
Network emulatorjeromy fu
 
BKK16-304 The State of GDB on AArch64
BKK16-304 The State of GDB on AArch64BKK16-304 The State of GDB on AArch64
BKK16-304 The State of GDB on AArch64Linaro
 
Building Topology in NS3
Building Topology in NS3Building Topology in NS3
Building Topology in NS3Rahul Hada
 
1 session installation
1 session installation1 session installation
1 session installationRahul Hada
 
NS3 Overview
NS3 OverviewNS3 Overview
NS3 OverviewRahul Hada
 
Ns3 implementation wifi
Ns3 implementation wifiNs3 implementation wifi
Ns3 implementation wifiSalah Amean
 
Lustre, RoCE, and MAN
Lustre, RoCE, and MANLustre, RoCE, and MAN
Lustre, RoCE, and MANinside-BigData.com
 
BUD17-300: Journey of a packet
BUD17-300: Journey of a packetBUD17-300: Journey of a packet
BUD17-300: Journey of a packetLinaro
 
6LoWPAN
6LoWPAN 6LoWPAN
6LoWPAN Pradeep Kumar TS
 
Tutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slidesTutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slidesVinayagam D
 
BUD17-TR02: Upstreaming 101
BUD17-TR02: Upstreaming 101 BUD17-TR02: Upstreaming 101
BUD17-TR02: Upstreaming 101 Linaro
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughThomas Graf
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
 
Ground to ns3 - Basic wireless topology implementation
Ground to ns3 - Basic wireless topology implementationGround to ns3 - Basic wireless topology implementation
Ground to ns3 - Basic wireless topology implementationJawad Khan
 
Dpdk accelerated Ostinato
Dpdk accelerated OstinatoDpdk accelerated Ostinato
Dpdk accelerated Ostinatopstavirs
 
Comparison between-ipv6-and-6 lowpan
Comparison between-ipv6-and-6 lowpanComparison between-ipv6-and-6 lowpan
Comparison between-ipv6-and-6 lowpanInformation Technology University
 
Building Complex Topology using NS3
Building Complex Topology using NS3Building Complex Topology using NS3
Building Complex Topology using NS3Rahul Hada
 
Deploy ipv6 multicast_v0_1
Deploy ipv6 multicast_v0_1Deploy ipv6 multicast_v0_1
Deploy ipv6 multicast_v0_1Nguyen Thanh
 
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANLinux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANSamsung Open Source Group
 
6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking Protocol6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking ProtocolSamsung Open Source Group
 
A Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsA Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsPriyanka Aash
 
Accelerating Networked Applications with Flexible Packet Processing
Accelerating Networked Applications with Flexible Packet ProcessingAccelerating Networked Applications with Flexible Packet Processing
Accelerating Networked Applications with Flexible Packet ProcessingOpen-NFP
 
Networking Basics with Linux
Networking Basics with LinuxNetworking Basics with Linux
Networking Basics with LinuxHenry Osborne
 
Bt0076 tcp ip
Bt0076 tcp ipBt0076 tcp ip
Bt0076 tcp ipsmumbahelp
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network InterfacesKernel TLV
 
netLec5.pdf
netLec5.pdfnetLec5.pdf
netLec5.pdfMuthuramanElangovan
 

More Related Content

What's hot

Ns3 implementation wifi
Ns3 implementation wifiNs3 implementation wifi
Ns3 implementation wifiSalah Amean
 
BUD17-300: Journey of a packet
BUD17-300: Journey of a packetBUD17-300: Journey of a packet
BUD17-300: Journey of a packetLinaro
 
Tutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slidesTutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slidesVinayagam D
 
BUD17-TR02: Upstreaming 101
BUD17-TR02: Upstreaming 101 BUD17-TR02: Upstreaming 101
BUD17-TR02: Upstreaming 101 Linaro
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughThomas Graf
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
 
Ground to ns3 - Basic wireless topology implementation
Ground to ns3 - Basic wireless topology implementationGround to ns3 - Basic wireless topology implementation
Ground to ns3 - Basic wireless topology implementationJawad Khan
 
Dpdk accelerated Ostinato
Dpdk accelerated OstinatoDpdk accelerated Ostinato
Dpdk accelerated Ostinatopstavirs
 
Building Complex Topology using NS3
Building Complex Topology using NS3Building Complex Topology using NS3
Building Complex Topology using NS3Rahul Hada
 
Deploy ipv6 multicast_v0_1
Deploy ipv6 multicast_v0_1Deploy ipv6 multicast_v0_1
Deploy ipv6 multicast_v0_1Nguyen Thanh
 
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANLinux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANSamsung Open Source Group
 
A Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsA Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsPriyanka Aash
 
Accelerating Networked Applications with Flexible Packet Processing
Accelerating Networked Applications with Flexible Packet ProcessingAccelerating Networked Applications with Flexible Packet Processing
Accelerating Networked Applications with Flexible Packet ProcessingOpen-NFP
 
Networking Basics with Linux
Networking Basics with LinuxNetworking Basics with Linux
Networking Basics with LinuxHenry Osborne
 

What's hot (20)

NS3 Overview
NS3 OverviewNS3 Overview
NS3 Overview
 
Ns3 implementation wifi
Ns3 implementation wifiNs3 implementation wifi
Ns3 implementation wifi
 
Lustre, RoCE, and MAN
Lustre, RoCE, and MANLustre, RoCE, and MAN
Lustre, RoCE, and MAN
 
BUD17-300: Journey of a packet
BUD17-300: Journey of a packetBUD17-300: Journey of a packet
BUD17-300: Journey of a packet
 
6LoWPAN
6LoWPAN 6LoWPAN
6LoWPAN
 
Tutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slidesTutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slides
 
BUD17-TR02: Upstreaming 101
BUD17-TR02: Upstreaming 101 BUD17-TR02: Upstreaming 101
BUD17-TR02: Upstreaming 101
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking Walkthrough
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
 
Ground to ns3 - Basic wireless topology implementation
Ground to ns3 - Basic wireless topology implementationGround to ns3 - Basic wireless topology implementation
Ground to ns3 - Basic wireless topology implementation
 
Dpdk accelerated Ostinato
Dpdk accelerated OstinatoDpdk accelerated Ostinato
Dpdk accelerated Ostinato
 
Comparison between-ipv6-and-6 lowpan
Comparison between-ipv6-and-6 lowpanComparison between-ipv6-and-6 lowpan
Comparison between-ipv6-and-6 lowpan
 
Building Complex Topology using NS3
Building Complex Topology using NS3Building Complex Topology using NS3
Building Complex Topology using NS3
 
Deploy ipv6 multicast_v0_1
Deploy ipv6 multicast_v0_1Deploy ipv6 multicast_v0_1
Deploy ipv6 multicast_v0_1
 
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANLinux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
 
6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking Protocol6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking Protocol
 
A Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsA Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm Basebands
 
Accelerating Networked Applications with Flexible Packet Processing
Accelerating Networked Applications with Flexible Packet ProcessingAccelerating Networked Applications with Flexible Packet Processing
Accelerating Networked Applications with Flexible Packet Processing
 
Networking Basics with Linux
Networking Basics with LinuxNetworking Basics with Linux
Networking Basics with Linux
 
Bt0076 tcp ip
Bt0076 tcp ipBt0076 tcp ip
Bt0076 tcp ip
 

Similar to Linux Network Filtering

Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network InterfacesKernel TLV
 
Geep networking stack-linuxkernel
Geep networking stack-linuxkernelGeep networking stack-linuxkernel
Geep networking stack-linuxkernelKiran Divekar
 
TC Flower Offload
TC Flower OffloadTC Flower Offload
TC Flower OffloadNetronome
 
Networks Have Layers - Understanding The OSI Model
Networks Have Layers - Understanding The OSI ModelNetworks Have Layers - Understanding The OSI Model
Networks Have Layers - Understanding The OSI ModelBrandon Checketts
 
Kubernetes from scratch at veepee sysadmins days 2019
Kubernetes from scratch at veepee sysadmins days 2019Kubernetes from scratch at veepee sysadmins days 2019
Kubernetes from scratch at veepee sysadmins days 2019🔧 Loïc BLOT
 
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...OpenStack Korea Community
 
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...Alexander Krizhanovsky
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1n|u - The Open Security Community
 
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceAdding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceSamsung Open Source Group
 
Rlite software-architecture (1)
Rlite software-architecture (1)Rlite software-architecture (1)
Rlite software-architecture (1)ARCFIRE ICT
 
Ocpeu14
Ocpeu14Ocpeu14
Ocpeu14KALRAY
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
Linux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
Linux Stammtisch Munich: Ceph - Overview, Experiences and OutlookLinux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
Linux Stammtisch Munich: Ceph - Overview, Experiences and OutlookDanny Al-Gaaf
 
20160927-tierney-improving-performance-40G-100G-data-transfer-nodes.pdf
20160927-tierney-improving-performance-40G-100G-data-transfer-nodes.pdf20160927-tierney-improving-performance-40G-100G-data-transfer-nodes.pdf
20160927-tierney-improving-performance-40G-100G-data-transfer-nodes.pdfJunZhao68
 
High performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User GroupHigh performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User GroupHungWei Chiu
 
Introduction to DPDK
Introduction to DPDKIntroduction to DPDK
Introduction to DPDKKernel TLV
 

Similar to Linux Network Filtering (20)

Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
 
netLec5.pdf
netLec5.pdfnetLec5.pdf
netLec5.pdf
 
Geep networking stack-linuxkernel
Geep networking stack-linuxkernelGeep networking stack-linuxkernel
Geep networking stack-linuxkernel
 
TC Flower Offload
TC Flower OffloadTC Flower Offload
TC Flower Offload
 
Networks Have Layers - Understanding The OSI Model
Networks Have Layers - Understanding The OSI ModelNetworks Have Layers - Understanding The OSI Model
Networks Have Layers - Understanding The OSI Model
 
Kubernetes from scratch at veepee sysadmins days 2019
Kubernetes from scratch at veepee sysadmins days 2019Kubernetes from scratch at veepee sysadmins days 2019
Kubernetes from scratch at veepee sysadmins days 2019
 
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
 
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
Skydive 31 janv. 2016
Skydive 31 janv. 2016Skydive 31 janv. 2016
Skydive 31 janv. 2016
 
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceAdding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
 
Rlite software-architecture (1)
Rlite software-architecture (1)Rlite software-architecture (1)
Rlite software-architecture (1)
 
Ocpeu14
Ocpeu14Ocpeu14
Ocpeu14
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
 
Linux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
Linux Stammtisch Munich: Ceph - Overview, Experiences and OutlookLinux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
Linux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
 
20160927-tierney-improving-performance-40G-100G-data-transfer-nodes.pdf
20160927-tierney-improving-performance-40G-100G-data-transfer-nodes.pdf20160927-tierney-improving-performance-40G-100G-data-transfer-nodes.pdf
20160927-tierney-improving-performance-40G-100G-data-transfer-nodes.pdf
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In Depth
 
High performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User GroupHigh performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User Group
 
Introduction to DPDK
Introduction to DPDKIntroduction to DPDK
Introduction to DPDK
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 

Linux Network Filtering

  • 1. Linux Networks & Filtering James Daniel 2017-09-21
  • 2. Overview ● Linux Networking Overview ● Linux Network Administration ● IPTables
  • 4. ● Kernel handles TCP/IP traffic, with some exceptions (beyond scope of this talk) ● TCP/IP stack is complicated, and absolutely critical to the functioning of OS ○ Stack located within the kernel, NOT USERSPACE ○ Will not cover every detail here -- sorry! ● Some Subroutines and System Calls - EGRESS ○ Layer 5 - write(), sendto(), sendmsg() -- all can send data over network, syscalls ○ Layer 4 - tcp_sendmsg (see tcp.c kernel source code) -- can emit data frames at appropriate time ○ Layer 3 ■ ip_queue_xmit() - routing, create IPv4 header ■ nf_hook() - performs network filtering ■ ip_output() - performs post-routing filtering ○ Layer 2 - primarily looking at queueing packets / discipline (qdisc) Network Fundamentals Credit: The Linux Foundation
  • 5. ● Some Subroutines and System Calls - INGRESS ○ Layer 2 - netif_receive_skb() --- feeds a packet into the kernel ○ Layer 3 ■ ARP - arp_rcv() ■ IP - ip_rcv() ○ Layer 4 ■ TCP - tcp_v4_rcv() ○ Layer 5 - read(), rcvfrom(), recvmsg() - syscalls, receive data from network Network Fundamentals Credit: The Linux Foundation
  • 6. Network Fundamentals Credit: University of New Hampshire, Computer Science Department
  • 10. Network Administration ● Network Information ○ ip route show displays host-based routing tables ○ ip address show displays L3 information ○ ip link show displays L2 information ● Socket Information ○ ss -tanup displays socket information ● Others* ○ route, netstat -rn displays host-based routing tables ○ ifconfig -a displays all available network interfaces ○ netstat -tulpn displays socket information * some deprecated due to reliance on net-tools, which is deprecated
  • 11. ● Static Network Configuration (Temporary) ○ ip route add default via <ip_addr> add default route ○ ip address add <ip_addr> dev <dev> add l3 ip address ● Static Network Configuration (Persistent, RHEL-derivatives) ○ /etc/sysconfig/network global nic configuration ○ /etc/sysconfig/network-scripts/ifcfg-* per-nic configuration ● Static Network Configuration (Persistent, Debian-derivatives) ○ /etc/network/interfaces global nic configuration ○ /etc/network/interfaces.d/<nic>.cfg per-nic configuration ● Others* ○ route add default via <ip_addr> ○ ifconfig <dev> <ip_addr> Network Administration
  • 12. Network Administration ● DNS Configuration ○ /etc/resolv.conf resolver configuration, getnameinfo() ○ /etc/nsswitch.conf service provider -name service switch per category defs ○ /etc/hosts service provider - for instance consumed by dnsmasq for A records
  • 14. IPTables Fundamentals ● What is iptables? ○ iptables is a generic table structure for the definition of rulesets. ○ Each rule within an IP table consists of a number of ■ Classifiers (iptables matches) ■ And one connected action (iptables target) ● Kernel module is netfilter ○ Must be loaded into the kernel (2.4.X+) ○ Performs stateless and stateful network filtering ● Consists of three tables ○ Mangle - handle special packets ○ NAT - perform network address translation for network behind the server ○ Filter - perform packet filtering for the server itself ● Each table can have >= 1 chain ● IPTables can forward packets, perform NAT ○ More network route/switch gear becoming Linux/UNIX based (i.e. Arista, Cumulus Networks) Credit: netfilter project, NTU CSIE
  • 15. Tangent - OCP Switches Credit: OCP/Facebook, James R. Hamilton Cumulus NetworksFacebook 6-Pack (40GE)
  • 16. IPTables Fundamentals ● Three Tables ○ Mangle - handle special packets ■ INPUT - Ingress network traffic ■ OUTPUT - Egress network traffic ■ FORWARD - Forward to network behind server ○ NAT - perform network address translation for network behind the server ■ PREROUTING - Rules PRIOR to routing decision ■ POSTROUTING - Rules AFTER the routing decision ■ OUTPUT - Rules for transmitted packets ○ Filter - perform packet filtering for the server itself ● Targets, Jumps ○ Handle packet that is a perfect match with match section of the rule ○ Target Examples: ACCEPT, DROP, CLASSIFY (qdisc), CLUSTERIP, DNAT/SNAT, DCSP/ECN Credit: NTU CSIE
  • 17. IPTables Fundamentals ● Connection Tracking ○ Not a state machine, but people refer to this anyways ○ Facilitated by conntrack ■ Can be a kernel module ■ Can just internal to the kernel ○ Userland States: NEW, ESTABLISHED, RELATED, INVALID, UNTRACKED ● Commands for conntrack ○ If ip_conntrack kernel module loaded ■ /proc/net/ip_conntrack Credit: University of New Hampshire, Computer Science Department
  • 19. IPTables Fundamentals ● ip_conntrack example (cat /proc/net/ip_conntrack) tcp 6 117 SYN_SENT src=192.168.1.6 dst=192.168.1.9 sport=32775 dport=22 [UNREPLIED] src=192.168.1.9 dst=192.168.1.6 sport=22 dport=32775 [ASSURED] use=2 Credit: iptables.info
  • 20. IPTables Fundamentals Credit: Advanced Internet Technologies
  • 22. IPTables Commands ● IPTables Basic Args ○ -L = list all chains; -A append to a chain, -P ● Default Policy ○ iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP ● Ingress Filter by Protocol (Example: ICMP Pings) ○ iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT ● Egress Filter by Protocol (Example: ICMP Pings) ○ iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT