LINUX® Netfilter The Linux Firewall Engine
Overview LINUX® Netfilter is a firewall engine built into the Linux kernel Sometimes called “iptables” for the command-line tool used to configure Netfilter
Constructs Netfilter makes use of the following constructs to define firewall policy: – Table – Chain – Rule – Target
Tables Tables contain Chains There are currently four (4) tables used by Netfilter: – raw – mangle – nat – filter The default table is filter (the filter and nat tables are the most commonly used)
Chains Chains contain Rules Chains can be user-defined There are default chains associated with each table: – PREROUTING – INPUT – FORWARD – OUTPUT – POSTROUTING The filter table only has INPUT, FORWARD, and OUTPUT. The nat table has PREROUTING and POSTROUTING
Chains (Cont) INPUT chain filters packets routed to the OS FORWARD chain filters packets routed through the OS OUTPUT chain filters packets sent from the OS When working with a host firewall we use the INPUT chain When working with a network firewall we use the FORWARD chain
Rules Rules within a chain are evaluated sequentially A rule will define what packets it is applied to (a match) and take action (a target) Example: Match packets from and DROP
Targets A target is an action taken on a packet that is matched by a rule A target can be a user-defined chain (which is useful if you want to perform more than one action on matched traffic) Common targets: – ACCEPT – DROP – REJECT – LOG Each chain has a default policy which is applied in the event no rule is matched. The default policy can be ACCEPT, REJECT, or DROP By default, the default policy for a chain is ACCEPT
Packet Flow Packets flow through the tables and chains in a precise way Within a chain, each rule is evaluated sequentially until a match is found and an action (target) is taken
Connection Tracking To provide Stateful Packet Inspection (SPI) we need a way to track the state of packets Netfilter implements this though connection tracking For all traffic that flows through Netfilter the state of a packet is kept Common states: – NEW – ESTABLISHED – RELATED
Stateful Packet Inspection Common practice is to block all incoming requests by default Allow all outgoing requests by default But how do we allow the return traffic? By matching against packet state Commonly implemented as: Match state RELATED,ESTABLISHED target ACCEPT
NAT Network Address Translation Re-writing of source and destination IP addresses in packets Implimented in Netfilter as targets in the nat table Types of NAT: – SNAT (Source NAT) – DNAT (Destination NAT) – MASQURADE (SNAT by Interface instead of IP)
NAT (Cont) DHCP on WAN interface: MASQ Static IP for NAT: SNAT Port Forwarding: DNAT One-to-One NAT: SNAT and DNAT for a single IP (Note, incoming traffic must be allowed in FORWARD chain)
Packet Matching When creating rules for IP its most common to match by: – Source Address (or Network) – Destination Address (or Network) – Protocol and Destination Port (example: TCP port 80) This requires you understand the traffic you’re attempting to create a rule for
Advanced Topics The mangle table can be used to change packet properties (such as TTL or QoS tagging) It can also be used to mark packets so that Linux can match traffic for routing or QoS policy
More Reading Oskar Andreasson’s Iptables How-To tutorial/iptables-tutorial.html tutorial/iptables-tutorial.html