IP Filter



IP Filter



  • What is an IP Filter?
  • What can an IP Filter do?
  • Filters and Firewalls
  • Linux Filtering
  • IP Chains
  • Netfilter
  • Tables vs. Chains
  • Packet Traversal
  • Filter Targets
  • Netfilter in my kernel
  • Iptables Tool

    • What is an IP Filter?



  • Method to monitor an IP stream.
  • Allows actions on packets.

    • What can an IP Filter do?



  • Accept packets
  • Reject packets
  • Drop packets
  • Network Address Translation (NAT)
  • Masquerade packets

    • Filters and Firewalls



  • Firewall controls access to host or network
  • Firewall does not mean security
  • Firewall is not a filter implementation
  • Firewall is a list of filter rules to Accept, Reject and Drop packets

    • Linux Filtering



  • BSD based filter system, ipfwadm (ip firewall administration)
  • Linux 2.2, IP Chains
  • Linux 2.4, Netfilter

    • IP Chains



  • Total rewrite of the linux filtering code
  • New way of doing things
  • Introduced the concept of a chain
  • Allowed users/administrators more flexibility

    • Netfilter



  • Another rewrite of the linux ip filter code
  • Added even more flexibility
  • Introduced the concept of a table
  • Kept the concept of a chain
  • Added NAT support
  • Most advanced filtering package of any OS

    • Tables vs. Chains



    What is the difference between a table and a chain?

  • A table is a collection of chains
  • A chain is a fall through list of filter rules

    • Should I be using a table or a chain?

  • Tables are for special uses
  • Chains allow for easier understanding of flow

    • Packet Traversal



    What pre-defined tables are there?

  • nat
  • filter

    • What pre-defined chains are there?

  • nat
    • PRERUOTING
    • POSTROUTING
  • filter
    • INPUT
    • FORWARD
    • OUTPUT

    • How do packets traverse the filter?

  • All packet traverse the nat table
  • Packets traverse the filter chain

    • What happens in the nat table?

  • Before a routing decision is made packets pass the PREROUTING chain
  • A routeing decision is made
  • Packets pass the POST routing table

    • What happens in the filter table?

  • Packets destined for the local machine pass the INPUT chain
  • Packets from local processes pass through the OUTPUT chain
  • Packets destined for a non-local network interface pass the FORWARD chain

    • Filter Targets



    What Targets are available?

  • ACCEPT
  • DENY
  • DROP
  • SNAT
  • DNAT
  • MASQUERADE
  • LOG
  • User defined chain (in the same table)

    • What targets are usable in what chains?

  • All non NAT targets (SNAT, DNAT MASQUERADE) are valid in all chains
  • DNAT is usable only in the PREROUTING chain
  • SNAT is usable only in the POSTROUTING chain
  • MASQUERADE is usable only in the POSTROUTING chain

    • Netfilter and my Kernel



    What kernel modules do I need?

  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_MASQUERADE
  • CONFIG_IP_NF_TARGET_LOG

    • Iptables Tool



    Things to specify

  • Table
  • Chain
  • Source address or network
  • Destination address or network
  • Protocol
  • Source or destination ports
  • Target

    • How do I specify

  • table -t
  • chain -A or -I
  • Source -s
  • Destination -d
  • Protocol -p
  • Destination port --dport or -destination-port
  • Source port --sport or -source-port
  • Target -j

    • Example

    Block all incoming TCP packets for port 80 from 192.168.146.202
    iptables -A INPUT -p tcp -s 192.168.146.202 --dport 80 -j DROP

    References



  • Linux 2.4 Packet Filtering HOWTO
  • Linux 2.4 NAT HOWTO