IPtables and Netfilter · Introduction IPtables, net lter, kernel networking Architecture Chains in tables Tables Chains rely on kernel hooks Chains Rules Traversal order Stateful

Introduction

IPtables,netfilter, kernelnetworking

Architecture

Chains in tables

Tables

Chains rely onkernel hooks

Chains

Rules

Traversal order

Statefulconnectiontracking

TCPconnections

UDP”connection”tracking

IPtables and Netfilter

Comp Sci 3600 Security

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Outline

1 IntroductionIPtables, netfilter, kernel networking

2 ArchitectureChains in tablesTablesChains rely on kernel hooksChainsRulesTraversal order

3 Stateful connection trackingTCP connectionsUDP ”connection” tracking

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Linux firewall: IPtables

• Iptables is the userspace module, the bit that you, theuser, interact with at the command line to enter firewallrules into predefined tables.

• Netfilter is a kernel module, built into the kernel, thatactually does the filtering.

• There are many GUI front ends for iptables that allowusers to add or define rules based on a point and click userinterface, but these often lack the flexibility of using thecommand line interface and limit the users understandingof what’s really happening.

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Outline




Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


IPtables and netfilter

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections



• User-space: Iptables resides in what we call the user-space, thisis your interface to the firewall for setting up your firewall rules.The same applies to ip6tables, nft, etc.

• Kernel: netfilter, the framework which iptables configures.Netfilter implements a series of ‘hooks’ that inspect packets inthe protocol stack, such as IPv4. These hooks allow for kernelmodules to interact with them. Iptables has a huge list of kernelmodules used for its firewalling capabilities. We have everythingfrom TCP and UDP to pkttype (Packet Type). In fact if youwant to see a list of iptables kernel modules, type:cat /proc/net/ip tables matches.

• Hardware / interfaces: Network adapters; eth0, eth1, etc.Netfilter uses prerouting and postrouting to and from thenetwork stack to inspect packets sent and received on eachinterface.

• Packet inspection is done at the kernel layer with the netfilter,and all the firewall rules and tools to manage the firewall residein the user-space.

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Outline




Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections



Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections



Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections



Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections



Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections



Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections



Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections



Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections



Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Outline




Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Chains in tables

As a packet triggers a netfilter hook, the associated chains willbe processed as they are listed in the table above fromtop-to-bottom, with rules processed from top to bottom.

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Outline




Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Tables

• filter table is one of the most widely used tables iniptables. The filter table is used to make decisions aboutwhether to let a packet continue to its intendeddestination or to deny its request. In firewall parlance, thisis known as ”filtering” packets. This table provides thebulk of functionality that people think of when discussingfirewalls.

• nat table is used to implement network addresstranslation rules. As packets enter the network stack, rulesin this table will determine whether and how to modify thepacket’s source or destination addresses in order to impactthe way that the packet and any response traffic arerouted.

• mangle table is used to alter the IP headers of the packetin various ways. You can adjust the TTL (Time to Live)value of a packet, either lengthening or shortening thenumber of valid network hops the packet can sustain.

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Tables

• The iptables firewall is stateful, meaning that packets areevaluated in regards to their relation to previous packets.The connection tracking features built on top of thenetfilter framework allow iptables to view packets as partof an ongoing connection or session instead of as a streamof discrete, unrelated packets. The connection trackinglogic is usually applied very soon after the packet hits thenetwork interface. The raw table has a very narrowlydefined function. Its only purpose is to provide amechanism for marking packets in order to opt-out ofconnection tracking.

• The security table is used to set internal SELinux securitycontext marks on packets, which will affect how SELinuxor other systems that can interpret SELinux securitycontexts handle the packets. These marks can be appliedon a per-packet or per-connection basis.

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Chains in tables

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Outline




Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Netfilter Kernel Hooks

5 netfilter hooks that programs can register with. As packets progressthrough the stack, they will trigger the kernel modules that have registeredwith these hooks. Hooks that a packet will trigger depends on whether thepacket is incoming or outgoing, the packet’s destination, and whether thepacket was dropped or rejected at a previous point.

• NF IP PRE ROUTING: will be triggered by any incoming traffic verysoon after entering the network stack. Is processed before any routingdecisions have been made regarding where to send the packet.

• NF IP LOCAL IN: is triggered after an incoming packet has beenrouted if the packet is destined for the local system.

• NF IP FORWARD: is triggered after an incoming packet has beenrouted if the packet is to be forwarded to another host.

• NF IP LOCAL OUT: is triggered by any locally created outboundtraffic as soon it hits the network stack.

• NF IP POST ROUTING: is triggered by any outgoing or forwardedtraffic after routing has taken place and just before being put out onthe wire.

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Outline




Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Chains

As you can see, the names of the built-in chains mirror thenames of the netfilter hooks they are associated with:

• PREROUTING: Triggered by the NF IP PRE ROUTINGhook.

• INPUT: Triggered by the NF IP LOCAL IN hook.

• FORWARD: Triggered by the NF IP FORWARD hook.

• OUTPUT: Triggered by the NF IP LOCAL OUT hook.

• POSTROUTING: Triggered by theNF IP POST ROUTING hook.

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Outline




Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Rules in chains

Rules are also processed in order, often with a catch-all at theend

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Outline




Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Chain Traversal Order

Assuming that the server knows how to route a packet andthat the firewall rules permit its transmission, the followingflows represent the paths that will be traversed in differentsituations:

• Incoming packets destined for the local system:PREROUTING − > INPUT

• Incoming packets destined to another host:PREROUTING − > FORWARD − > POSTROUTING

• Locally generated packets:OUTPUT − > POSTROUTING

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


IPtables and netfilter flow

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Targets (another chain to send to)

A target is the action that are triggered when a packet meetsthe matching criteria of a rule. Targets are generally dividedinto two categories:

• Terminating targets: Terminating targets perform anaction which terminates evaluation within the chain andreturns control to the netfilter hook. Depending on thereturn value provided, the hook might drop the packet orallow the packet to continue to the next stage ofprocessing.

• Non-terminating targets: Non-terminating targets performan action and continue evaluation within the chain.Although each chain must eventually pass back a finalterminating decision, any number of non-terminatingtargets can be executed beforehand.

• Common are ACCEPT, DROP, REJECT, LOG, etc

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Outline




Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Outline




Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


TCP state tracking: connection

For a stateful firewall:

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


TCP state tracking: closing

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


TCP state tracking: client sub-connection

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


TCP state tracking: server sub-connection

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


Outline




Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


UDP state tracking: ”connection”

Watches inverted port numbers

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


State Explanation: NEW

• The NEW state tells us that the packet is the first packetthat we see. This means that the first packet that theconntrack module sees, within a specific connection, willbe matched. For example, if we see a SYN packet and it isthe first packet in a connection that we see, it will match.However, the packet may as well not be a SYN packet andstill be considered NEW. This may lead to certainproblems in some instances, but it may also be extremelyhelpful when we need to pick up lost connections fromother firewalls, or when a connection has already timedout, but in reality is not closed.

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


State Explanation: ESTABLISHED

• The ESTABLISHED state has seen traffic in bothdirections and will then continuously match those packets.ESTABLISHED connections are fairly easy to understand.The only requirement to get into an ESTABLISHED stateis that one host sends a packet, and that it later on gets areply from the other host. The NEW state will uponreceipt of the reply packet to or through the firewallchange to the ESTABLISHED state. ICMP reply messagescan also be considered as ESTABLISHED, if we created apacket that in turn generated the reply ICMP message.

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


State Explanation: RELATED

• The RELATED state is one of the more tricky states. Aconnection is considered RELATED when it is related to anotheralready ESTABLISHED connection. What this means, is thatfor a connection to be considered as RELATED, we must firsthave a connection that is considered ESTABLISHED. TheESTABLISHED connection will then spawn a connectionoutside of the main connection. The newly spawned connectionwill then be considered RELATED, if the conntrack module isable to understand that it is RELATED. Some good examples ofconnections that can be considered as RELATED are theFTP-data connections that are considered RELATED to theFTP control port, and the DCC connections issued through IRC.This could be used to allow ICMP error messages, FTP transfersand DCC’s to work properly through the firewall. Do note thatmost TCP protocols and some UDP protocols that rely on thismechanism are quite complex and send connection informationwithin the payload of the TCP or UDP data segments, andhence require special helper modules to be correctly understood.

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


State Explanation: INVALID

• The INVALID state means that the packet can’t beidentified or that it does not have any state. This may bedue to several reasons, such as the system running out ofmemory or ICMP error messages that do not respond toany known connections. Generally, it is a good idea toDROP everything in this state.

Introduction


Architecture

Chains in tables

Tables


Chains

Rules

Traversal order


TCPconnections


State Explanation: UNTRACKED

• This is the UNTRACKED state. In brief, if a packet ismarked within the raw table with the NOTRACK target,then that packet will show up as UNTRACKED in thestate machine. This also means that all RELATEDconnections will not be seen, so some caution must betaken when dealing with the UNTRACKED connectionssince the state machine will not be able to see relatedICMP messages et cetera.

Documents

IPtables and Netfilter · Introduction IPtables, net lter, kernel networking Architecture Chains in tables Tables Chains rely on kernel hooks Chains Rules Traversal order Stateful