Understand the iptables step by step
0 likes757 views
The document discusses iptables and network packet filtering. It begins with an introduction of the presenter and overview of iptables. It then covers how iptables works, including the tables, chains and communication between userspace and kernelspace. It discusses common iptables commands like flush and check. It also covers iptables extensions, how they are implemented in both userspace and kernelspace, and provides an example of custom TCP matching. The presentation aims to explain how the iptables userspace tools interact with the kernelspace netfilter system and custom extensions can be added.
Understand the iptables step by step
- 2. COSCUP2018 x openSUSE.Asia GNOME.Asia I am Hung-Wei Chiu Co-organizer of SDNDS-TW Co-organizer of CNTUUG I love Linux Network/Kubernetes/SDN You can find me at: blog.hwchiu.com
- 3. COSCUP2018 x openSUSE.Asia GNOME.Asia How Many People Known Iptables?
- 4. COSCUP2018 x openSUSE.Asia GNOME.Asia Network Interface Card PREROUUTING Network Interface Card POSTROUUTING INPUT OUTPUT INPUT OUTPUT FORWARDRouting Routing LOCAL PROCESS DNAT
- 5. COSCUP2018 x openSUSE.Asia GNOME.Asia We Don’t Focus On Those Table/Chain Today
- 6. COSCUP2018 x openSUSE.Asia GNOME.Asia User Space Kernel Space iptables ebtables application netlink/system call Kernel netfilter system Network Interface Card Network Interface Card
- 7. COSCUP2018 x openSUSE.Asia GNOME.Asia iptables, a command-line tool
- 8. COSCUP2018 x openSUSE.Asia GNOME.Asia iptables Home: ○ https://www.netfilter.org/downloads.ht ml Git ○ git://git.netfilter.org/iptables.git
- 9. COSCUP2018 x openSUSE.Asia GNOME.Asia We Focus On What Will Happen For Each Command
- 10. COSCUP2018 x openSUSE.Asia GNOME.Asia Do You Have Meet The Following Message?
- 11. COSCUP2018 x openSUSE.Asia GNOME.Asia Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
- 12. COSCUP2018 x openSUSE.Asia GNOME.Asia Whathappen iptables command needs a communication between user and kernel space. It need a lock to make sure the consistence iptables will exit if it can’t acquire the lock by default. Use the –w option to wait the lock.
- 13. COSCUP2018 x openSUSE.Asia GNOME.Asia Let Read The Source Code
- 18. COSCUP2018 x openSUSE.Asia GNOME.Asia So, We Know The Iptables Use The File Lock
- 19. COSCUP2018 x openSUSE.Asia GNOME.Asia Do You Meet The Duplicated Rules ?
- 21. COSCUP2018 x openSUSE.Asia GNOME.Asia How Could We Solve This?
- 22. COSCUP2018 x openSUSE.Asia GNOME.Asia solution Custom chain ○ Use the ‘-F’ to flush all rules. Check before inserting rule ○ Use the ‘-C’ to check. Modify the iptables to avoid duplicated rules.
- 24. COSCUP2018 x openSUSE.Asia GNOME.Asia How Could We Solve This?
- 29. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, Let We Learn How To Flush The Rules.
- 31. COSCUP2018 x openSUSE.Asia GNOME.Asia First, we need to know how iptables works with kernel?
- 33. COSCUP2018 x openSUSE.Asia GNOME.Asia libiptc Library which manipulates firewall rules Use the system call to interact with kernel ○ GetSocketOpt ○ SetSocketOpt Maintain a cache for each iptables command.
- 34. COSCUP2018 x openSUSE.Asia GNOME.Asia workflows Initial the libiptc to fetch all current rules. Store those rules into a local cache Operates rules in that cache Commit the change to the kernel.
- 35. COSCUP2018 x openSUSE.Asia GNOME.Asia workflows Initial the libiptc to fetch all current rules. In the iptables, we use a handle (xtc_handle) to represent the cache.
- 36. COSCUP2018 x openSUSE.Asia GNOME.Asia initlibiptc Initial the libiptc to fetch all current rules.
- 40. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, we have the cache of the current rules.
- 41. COSCUP2018 x openSUSE.Asia GNOME.Asia Let We Flush Rules
- 46. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, We Have Remove Rules From Cache
- 48. COSCUP2018 x openSUSE.Asia GNOME.Asia We Commit The Change After Any Commands
- 53. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, We Have Flush The Rules.
- 54. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, Let’s See What’s The Extension
- 55. COSCUP2018 x openSUSE.Asia GNOME.Asia Custom Match Field –m tcp –dport 1234
- 56. COSCUP2018 x openSUSE.Asia GNOME.Asia Custom Target Field –j AUDIT –type accept
- 57. COSCUP2018 x openSUSE.Asia GNOME.Asia User Space Kernel Space iptables extensions netlink/system call Kernel netfilter system Network Interface Card Network Interface Card extensions extensions extensions Kernel module Kernel module Kernel module Kernel module
- 58. COSCUP2018 x openSUSE.Asia GNOME.Asia Architecture For each extension, you need to prepare two things. User-space library to parse the command. Kernel-space module to implement that function.
- 59. COSCUP2018 x openSUSE.Asia GNOME.Asia For User-Space, iptables command should know how to parse arguments.
- 62. COSCUP2018 x openSUSE.Asia GNOME.Asia Howtoread Function ○ DNAT (upper) -> target ○ tcp (lower) -> match File naming Old style ○ libipt_ -> ipv4 ○ libip6t -> ipv6 New Style ○ libxt -> ipv4/ipv6
- 63. COSCUP2018 x openSUSE.Asia GNOME.Asia Now, We Take The Custom Match TCP as Example
- 68. COSCUP2018 x openSUSE.Asia GNOME.Asia For Kernel-Space, There’re Some Kernel Modules In The System.
- 76. COSCUP2018 x openSUSE.Asia GNOME.Asia summary The iptables system includes the user-space tool and kernel-space system. We focus on how user-space tools works today.
- 77. COSCUP2018 x openSUSE.Asia GNOME.Asia iptables iptables need a file lock to protect the rules. iptables use the library (libiptc) to control the rules via system call. You can extend the iptables by implement the extension match/target function.
- 78. COSCUP2018 x openSUSE.Asia GNOME.Asia User Space Kernel Space iptables extensions netlink/system call Kernel netfilter system Network Interface Card Network Interface Card extensions extensions extensions Kernel module Kernel module Kernel module Kernel module
- 79. COSCUP2018 x openSUSE.Asia GNOME.Asia Extenstion For each iptables extension module, you should both user-space and kernel-space. Please make sure the kernel version consistent Use—Space ○ Implement the arguments and store the data into pre-defined structure. Kernel-Space ○ Implement the match function