The document discusses iptables and network packet filtering. It begins with an introduction of the presenter and overview of iptables. It then covers how iptables works, including the tables, chains and communication between userspace and kernelspace. It discusses common iptables commands like flush and check. It also covers iptables extensions, how they are implemented in both userspace and kernelspace, and provides an example of custom TCP matching. The presentation aims to explain how the iptables userspace tools interact with the kernelspace netfilter system and custom extensions can be added.

1. Iptables101
coscup-2018

2. COSCUP2018
x
openSUSE.Asia GNOME.Asia
I am Hung-Wei Chiu
Co-organizer of SDNDS-TW
Co-organizer of CNTUUG
I love
Linux Network/Kubernetes/SDN
You can find me at:
blog.hwchiu.com

3. COSCUP2018
x
openSUSE.Asia GNOME.Asia
How Many People Known Iptables?

4. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Network
Interface Card
PREROUUTING
Network
Interface Card
POSTROUUTING
INPUT OUTPUT
INPUT OUTPUT
FORWARDRouting Routing
LOCAL PROCESS
DNAT

5. COSCUP2018
x
openSUSE.Asia GNOME.Asia
We Don’t Focus On Those Table/Chain
Today

6. COSCUP2018
x
openSUSE.Asia GNOME.Asia
User Space
Kernel Space
iptables ebtables application
netlink/system call
Kernel
netfilter system
Network
Interface Card
Network
Interface Card

7. COSCUP2018
x
openSUSE.Asia GNOME.Asia
iptables, a command-line tool

8. COSCUP2018
x
openSUSE.Asia GNOME.Asia
iptables
Home:
○ https://www.netfilter.org/downloads.ht
ml
Git
○ git://git.netfilter.org/iptables.git

9. COSCUP2018
x
openSUSE.Asia GNOME.Asia
We Focus On What Will Happen For
Each Command

10. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Do You Have Meet The Following
Message?

11. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Another app is currently holding
the xtables lock. Perhaps you
want to use the -w option?

12. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Whathappen
iptables command needs a
communication between user and
kernel space.
It need a lock to make sure the
consistence
iptables will exit if it can’t acquire the
lock by default.
Use the –w option to wait the lock.

13. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Let Read The Source Code

14. COSCUP2018
x
openSUSE.Asia GNOME.Asia

15. COSCUP2018
x
openSUSE.Asia GNOME.Asia

16. COSCUP2018
x
openSUSE.Asia GNOME.Asia
v
v

17. COSCUP2018
x
openSUSE.Asia GNOME.Asia

18. COSCUP2018
x
openSUSE.Asia GNOME.Asia
So, We Know The Iptables Use The File
Lock

19. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Do You Meet The Duplicated Rules ?

20. COSCUP2018
x
openSUSE.Asia GNOME.Asia

21. COSCUP2018
x
openSUSE.Asia GNOME.Asia
How Could We Solve This?

22. COSCUP2018
x
openSUSE.Asia GNOME.Asia
solution
Custom chain
○ Use the ‘-F’ to flush all rules.
Check before inserting rule
○ Use the ‘-C’ to check.
Modify the iptables to avoid
duplicated rules.

23. COSCUP2018
x
openSUSE.Asia GNOME.Asia

24. COSCUP2018
x
openSUSE.Asia GNOME.Asia
How Could We Solve This?

25. COSCUP2018
x
openSUSE.Asia GNOME.Asia

26. COSCUP2018
x
openSUSE.Asia GNOME.Asia

27. COSCUP2018
x
openSUSE.Asia GNOME.Asia

28. COSCUP2018
x
openSUSE.Asia GNOME.Asia

29. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Now, Let We Learn How To Flush The
Rules.

30. COSCUP2018
x
openSUSE.Asia GNOME.Asia
c
c
c

31. COSCUP2018
x
openSUSE.Asia GNOME.Asia
First, we need to know how iptables
works with kernel?

32. COSCUP2018
x
openSUSE.Asia GNOME.Asia
libiptc

33. COSCUP2018
x
openSUSE.Asia GNOME.Asia
libiptc
Library which manipulates firewall
rules
Use the system call to interact with
kernel
○ GetSocketOpt
○ SetSocketOpt
Maintain a cache for each iptables
command.

34. COSCUP2018
x
openSUSE.Asia GNOME.Asia
workflows
Initial the libiptc to fetch all current
rules.
Store those rules into a local cache
Operates rules in that cache
Commit the change to the kernel.

35. COSCUP2018
x
openSUSE.Asia GNOME.Asia
workflows
Initial the libiptc to fetch all current
rules.
In the iptables, we use a handle
(xtc_handle) to represent the cache.

36. COSCUP2018
x
openSUSE.Asia GNOME.Asia
initlibiptc
Initial the libiptc to fetch all current
rules.

37. COSCUP2018
x
openSUSE.Asia GNOME.Asia
c
c

38. COSCUP2018
x
openSUSE.Asia GNOME.Asia

39. COSCUP2018
x
openSUSE.Asia GNOME.Asia

40. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Now, we have the cache of the current
rules.

41. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Let We Flush Rules

42. COSCUP2018
x
openSUSE.Asia GNOME.Asia

43. COSCUP2018
x
openSUSE.Asia GNOME.Asia

44. COSCUP2018
x
openSUSE.Asia GNOME.Asia

45. COSCUP2018
x
openSUSE.Asia GNOME.Asia
c

46. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Now, We Have Remove Rules From
Cache

47. COSCUP2018
x
openSUSE.Asia GNOME.Asia

48. COSCUP2018
x
openSUSE.Asia GNOME.Asia
We Commit The Change After Any
Commands

49. COSCUP2018
x
openSUSE.Asia GNOME.Asia
c

50. COSCUP2018
x
openSUSE.Asia GNOME.Asia
c

51. COSCUP2018
x
openSUSE.Asia GNOME.Asia
c

52. COSCUP2018
x
openSUSE.Asia GNOME.Asia

53. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Now, We Have Flush The Rules.

54. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Now, Let’s See What’s The Extension

55. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Custom Match Field
–m tcp –dport 1234

56. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Custom Target Field
–j AUDIT –type accept

57. COSCUP2018
x
openSUSE.Asia GNOME.Asia
User Space
Kernel Space
iptables
extensions
netlink/system call
Kernel
netfilter system
Network
Interface Card
Network
Interface Card
extensions
extensions
extensions
Kernel module
Kernel module
Kernel module
Kernel module

58. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Architecture
For each extension, you need to
prepare two things.
User-space library to parse the
command.
Kernel-space module to implement
that function.

59. COSCUP2018
x
openSUSE.Asia GNOME.Asia
For User-Space, iptables command
should know how to parse arguments.

60. COSCUP2018
x
openSUSE.Asia GNOME.Asia

61. COSCUP2018
x
openSUSE.Asia GNOME.Asia

62. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Howtoread
Function
○ DNAT (upper) -> target
○ tcp (lower) -> match
File naming
Old style
○ libipt_ -> ipv4
○ libip6t -> ipv6
New Style
○ libxt -> ipv4/ipv6

63. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Now, We Take The Custom Match TCP
as Example

64. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Architecture
iptables/extensions/libxt_tcp.c

65. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Architecture
iptables/extensions/libxt_tcp.c
c

66. COSCUP2018
x
openSUSE.Asia GNOME.Asia

67. COSCUP2018
x
openSUSE.Asia GNOME.Asia

68. COSCUP2018
x
openSUSE.Asia GNOME.Asia
For Kernel-Space, There’re Some
Kernel Modules In The System.

69. COSCUP2018
x
openSUSE.Asia GNOME.Asia

70. COSCUP2018
x
openSUSE.Asia GNOME.Asia
c

71. COSCUP2018
x
openSUSE.Asia GNOME.Asia

72. COSCUP2018
x
openSUSE.Asia GNOME.Asia

73. COSCUP2018
x
openSUSE.Asia GNOME.Asia

74. COSCUP2018
x
openSUSE.Asia GNOME.Asia
v

75. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Demo Time

76. COSCUP2018
x
openSUSE.Asia GNOME.Asia
summary
The iptables system includes the
user-space tool and kernel-space
system.
We focus on how user-space tools
works today.

77. COSCUP2018
x
openSUSE.Asia GNOME.Asia
iptables
iptables need a file lock to protect the
rules.
iptables use the library (libiptc) to
control the rules via system call.
You can extend the iptables by
implement the extension
match/target function.

78. COSCUP2018
x
openSUSE.Asia GNOME.Asia
User Space
Kernel Space
iptables
extensions
netlink/system call
Kernel
netfilter system
Network
Interface Card
Network
Interface Card
extensions
extensions
extensions
Kernel module
Kernel module
Kernel module
Kernel module

79. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Extenstion
For each iptables extension module,
you should both user-space and
kernel-space.
Please make sure the kernel version
consistent
Use—Space
○ Implement the arguments and store the
data into pre-defined structure.
Kernel-Space
○ Implement the match function

80. COSCUP2018
x
openSUSE.Asia GNOME.Asia
Thanks!