netfilter ● Linux Kernel 2.4 and later – Heavy improvement to ipchains (2.2.x) and ipfwadm (2.0.x) ● Callback function hooks on network stack ● stateless/stateful packet filtering (IPv4 and IPv6) ● network address and port translation, eg. NAT/NAPT ● OSI Layer 2 (Link)
nftables ● Replaces the existing {ip,ip6,arp,eb}_tables infrastructure ● Different syntax ● Compatibility layer for iptables ● Generic maps and concatenation drastically reduce → number of rules ● Since Linux Kernel 3.13
Hook Points Allow you to process packets… ● PREROUTING – Arriving on an interface, after checksum validation ● INPUT – Before delivery to local process ● FORWARD – between one interface to another (important for routers!) ● POSTROUTING – Before leaving an interface ● OUTPUT – After being generated by a local process
Chains ● Each table has chains, by default empty ● A Chain is comprised of Rules ● Chain default policy: ACCEPT, DROP ● All user-defined chains end with RETURN
Rules ● ACLs ● Top to bottom ● One or more matching criteria + Target (action) ● First match which satisfies matching criteria wins (ordering!) ● No Match criteria All packets considered → ● No Target PacketCounter++ and ByteCounter++ →
Targets ● ACCEPT – Let the packet through to the next stage of processing. Stop traversing the current chain ● DROP – Discontinue processing entirely. Do not check against any other rule, table, chain. (Stealth!) ● REJECT – Same as DROP, but provide feedback (example: icmp-host-prohibited) ● QUEUE – Send the packet to UserSpace (ie. code not in the kernel, development) ● RETURN – Discontinue processing this user-defined chain and return from where it previously left
Applications ● Packet Filtering – Examining packets at various stages and making decisions on how they should be handled ● Accounting – Monitor network traffic volumes by checking packet count and byte sizes ● Connection tracking – Matching related packets (example, FTP, control/data transfer) ● Packet Mangling – Modifying packet headers (net address, port,…) or payload
Applications ● NAT (Network Address Translation) – Overwrite source/destination address/port – SNAT (Source), DNAT (Destination), connection tracking ● Masquerading – Special type of SNAT, computer rewrites packets to make them appear like they come from itself – Share internet connection with a dynamic IP ● Port-Forwarding – Type of DNAT. Firewall accepts traffic to itself, but rewrites the packets to be destined to another machine. – Replies are rewritten as well to look like they come from itself ● Load-balancing – Distributing connections across a group of internal hosts for higher throughput. – Example: port-forwarding so destination address is selected in a round-robin fashion
Good to know ● iptable rules not persistent remember to save! → (/etc/sysconfig/iptables, service iptables save) ● /etc/sysctl.conf net.ipv4.ip_forward = 1 →
Lets take a look ● Try pinging 192.168.123.10 ● Try pinging from the VM to google.com ● Try pinging from the VM to 8.8.8.8 ● Which Table and Chain are causing this? – Filter and Output
Organizing with User Chains ● iptables -I INPUT -j blacklist ● What would happen if we placed that rule under the second rule? (state RELATED,ESTABLISHED) – Only replies accepted if initiated by us
Port-Forwarding ● Service running on 127.0.0.1 1234 ● Can we reach it from the outside? – Not without port forwarding :) ● Which Tables and Chains are involved? – NAT PREROUTING – FILTER INPUT! Remember the flow! → – * Depending on the destination, FILTER FORWARD
MASQUERADING OR SNAT? ● Don’t forget: sysctl -w net.ipv4.ip_forward=1 ● iptables -t nat -A POSTROUTING -o eth0 -s 192.168.123.0/24 -j MASQUERADE ● iptables -t nat -A POSTROUTING -s 192.168.123.0/24 -o eth0 -j SNAT --to-source 10.0.2.15 ● Masquerading: we don’t know the source address ahead of time or can change, so we bind to the interface. – No intervention, but slight overhead ● SNAT: we know the source address and is static – No (added) overhead, needs intervention should the address change
Load Balancing ● Service A, B and C respectively listening on port 8081, 8082 and 8083. Make available on port 8080 ● Haven’t we seen this before? – NAT Prerouting DNAT + Filter INPUT (or FORWARD) – -m statistic
carroarmato0
linedevth
lemon
hagevvashi
autifyhq
.png){kind=icon}
pharma_x_tech
line_developers
nasa_desu
nishiuma
mashiike
kazumax55
grimoh
chrislema
brad_frost
sachag
jonyablonski
danielanewman
addyosmani
denniskardys
aleyda
holman
colly