[Translation]-depth understanding of iptables and netfilter architecture
Translator's Preface
This translation from an English blog in 2015. A Deep Dive INTO Iptables and Netfilter Architecture .
This introduces more comprehensive design principles and iptables and netfilter, the fly in the ointment is no piece of kernel stack of each hook point and iptables rule priorities classic with pictures, add here below (from Wikipedia ):
In addition, we talk about theory, but this is focused on the following practical (based iptables do NAT):
It can be used as supplementary reading this article.
Due to the limited level translator, this is not free from errors or omissions place. If in doubt, consult the original text.
The following is a translation.
Foreword
Firewalls are an important tool for the protection of servers and infrastructure security. In the Linux ecosystem, iptablesit is one of the very extensive use of firewall tool, which is based on packet filtering framework kernel (Packet Filtering Framework) netfilter. If the administrator or user knowledge of the architecture of these systems, it may not be able to create a reliable firewall policy, partly because iptables syntax is quite challenging, on the other hand is inside the netfilter framework interwoven become complicated.
This article takes the reader deep understanding of iptablesthe framework, so that those who need to create a firewall policy it has a more comprehensive understanding. We will discuss how netfilter iptables interact with, several components are organized into a comprehensive filtering and correction system (a comprehensive filtering and mangling system) is.
What 1 IPTables and Netfilter that?
Linux is the most commonly used tool is the firewall iptables. It has a bag hook interact with iptables filtering function within the protocol stack to complete the work. These constitute the core netfilter hook framework.
Each packet entering the network system (receiving or transmitting) when passing through the protocol stack will trigger the hook, the program can register hook function to handle network traffic in some way critical path. iptables kernel module related to a handler registered points in the hook, so that it is possible to meet the network traffic by configuring the firewall rules iptables rules.
2. Netfilter Hooks
netfilter hook offers five points. It will be triggered when the package through the protocol stack kernel modules register here handler . Depending on which direction the packet trigger hook (sending or receiving), the destination address of the packet, and a packet on a hook point is rejected or discarded and the like.
Here are a few hook the kernel stack has been defined:
NF_IP_PRE_ROUTING: After receiving the trigger packet protocol stack immediately enters this hook, making any routing decisions (where to send the packet) beforeNF_IP_LOCAL_IN: Routing the received packet after determining if the object is a native, this will trigger hookNF_IP_FORWARD: After the received packet routing decision, if the objective is other machines, this will trigger hookNF_IP_LOCAL_OUT: Preparation of the locally generated packets transmitted after entering this protocol stack immediately trigger hookNF_IP_POST_ROUTING: Packet or forward a packet ready to send the locally generated, after determining the route after the trigger this hook
Priority must be provided when registering handler , so that when the hook trigger can function in accordance with the level of call processing priority. This makes the plurality of modules (or multiple instances of the same kernel modules) can be registered in the same hook point, and has the determined processing order . Kernel module in turn is called, each time you return a result to the netfilter framework, suggesting that this package do what.
Table 3 IPTables and a chain (Tables and Chains)
iptables table to use rules of the organization, according to what type of determination made (the type of decisions they are used to make) standards, the rules are divided into different table. For example, if the network address translation rule is processed, it will put natTable; if the packet is allowed to continue determining whether forward, it may be placed filtertable.
Within each table, the rules are further organized into chain, built chain is triggered by the built-in hook . chain can be substantially determined (basically determin) rule when matched.
The following can be seen, the built-in chain name and netfilter hook name is one to one:
PREROUTING: ANF_IP_PRE_ROUTINGtrigger hookINPUT: ANF_IP_LOCAL_INtrigger hookFORWARD: ANF_IP_FORWARDtrigger hookOUTPUT: ANF_IP_LOCAL_OUTtrigger hookPOSTROUTING: ANF_IP_POST_ROUTINGtrigger hook
chain allows administrators to control which point on the transmission path of the packet application policy (where in a packet's delivery path ). Because each table has a plurality of chain, so a plurality of places in the table can affect process applied. Specific types of rules only at a specific point protocol stack makes sense, therefore not every table will be registered in each chain hook the kernel .
A total of only five core netfilter hook, and therefore different from the final table of the chain are registered to these points. For example, there are three table PRETOUTINGchain. When the chain is registered to the corresponding NF_IP_PRE_ROUTINGtime hook point, they need to specify the priority table which should in turn call PRETOUTINGchain, highest to lowest priority. We'll will see a chain of priority issues.
4. table type
Let's look at the type of iptables table provided. The table is based on the rule type classification.
4.1 Filter Table
filtertable is one of the most common table, for determining whether to allow a packet to pass .
In the field of a firewall, which is generally referred to as "filtering" package ( "filtering" packets). This table provides some common functions of a firewall.
4.2 NAT Table
nat network address translation table used to implement the rules.
When the packet enters the protocol stack, these rules determine whether and how to modify the packet's source / destination address, to change the behavior of the packet is routed. nattable is typically used to route packets to the network is not directly accessible.
Table 4.3 Mangle
mangle(Amended) Table for modifying IP packet header .
For example, the package may be modified TTL, increasing or decreasing the number of hops the packet can go through.
This table can also play packet is valid only in the kernel "tag" (internal kernel "mark") , when the subsequent processing table or tool can use the tags. Mark does not modify the package itself, but marked on the package indicates the kernel.
4.4 Raw Table
iptables firewalls are stateful : determining when each packet is dependent on the package had been determined .
Based on netfilter connection tracking (connection tracking) characteristic such iptables packet as part of an existing connection or session , instead of a separate, unrelated packet stream composed. Connection tracking logic network interface after the packet arrives quickly applied.
rawtable definition is very limited, which sole purpose is to provide a bypass so that the frame packet connection tracking .
4.5 Security Table
securityAction table is marked with SELinux to package labeling, or to influence other SELinux can be interpreted SELinux security context of the system to process the packet behavior. These markers may be based on a single packet, it can also be connected based.
5 of each table to achieve chain
As already discussed respectively table and chain, which chain see next to each table in its own way. In addition, we will also discuss priority issues registered to a different chain of the same hook. For example, if the table has three PRETOUTINGchain, it should invoke them in what order it?
The following table shows the relationship between the table and the chain. A transverse table, a longitudinal chain, Y represents this table there are the chain. For example, the second row represents the rawtable there PRETOUTINGand OUTPUTtwo chain. Specific to each column, from the fallen order is triggered when netfilter hook, (corresponding to the table) is called the order chain.
There are several points need to explain. In the following figures, natTable is subdivided down DNAT(changes the destination address), and SNAT(modifying the source address), in order to more easily demonstrate their priority. In addition, we added a routing decision point and the point of connection tracking, so that the entire process more complete and comprehensive:
| Tables/Chains | PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING |
|---|---|---|---|---|---|
| (Route determination) | AND | ||||
| raw | AND | AND | |||
| (Connection tracking) | AND | AND | |||
| missing | AND | AND | AND | AND | AND |
| night (DNAT) | AND | AND | |||
| (Route determination) | AND | AND | |||
| filter | AND | AND | AND | ||
| security | AND | AND | AND | ||
| night (SNAT) | AND | AND | AND |
When a packet is triggered netfilter hook, the process will be performed from the top down along the column. Related hook which triggers (column) direction and the package (ingress / egress), the route is determined, the filter conditions.
Specific events can cause the chain table is skipped. For example, only the first packet of each connection to be matching NAT rule, the operation of this package is applied to all connected behind this package. The response packet to the connection will be automatically applied NAT rule in the opposite direction.
Chain traversal priority
Assumed that the server knows how to route the packet, and the firewall allows the data packet transmission, the following is the scene under different process migration package:
- Received packet object is the machine:
PRETOUTING->INPUT - Received, the purpose is other hosts packages:
PRETOUTING->FORWARD->POSTROUTING - 本地产生的包:
OUTPUT->POSTROUTING
综合前面讨论的 table 顺序问题,我们可以看到对于一个收到的、目的是本机的包: 首先依次经过 PRETOUTING chain 上面的 raw、mangle、nat table;然后依次经 过 INPUT chain 的 mangle、filter、security、nat table,然后才会到达本机 的某个 socket。
6 IPTables 规则
规则放置在特定 table 的特定 chain 里面。当 chain 被调用的时候,包会依次匹配 chain 里面的规则。每条规则都有一个匹配部分和一个动作部分。
6.1 匹配
规则的匹配部分指定了一些条件,包必须满足这些条件才会和相应的将要执行的动作(“ target”)进行关联。
匹配系统非常灵活,还可以通过 iptables extension 大大扩展其功能。规则可以匹配协 议类型、目的或源地址、目的或源端口、目的或源网段、接收或发送的接口(网卡)、协议 头、连接状态等等条件。这些综合起来,能够组合成非常复杂的规则来区分不同的网络流 量。
6.2 目标
包符合某种规则的条件而触发的动作(action)叫做目标(target)。目标分为两种类型:
- 终止目标(terminating targets):这种 target 会终止 chain 的匹配,将控制权 转移回 netfilter hook。根据返回值的不同,hook 或者将包丢弃,或者允许包进行下一 阶段的处理
- 非终止目标(non-terminating targets):非终止目标执行动作,然后继续 chain 的执行。虽然每个 chain 最终都会回到一个终止目标,但是在这之前,可以执行任意多 个非终止目标
每个规则可以跳转到哪个 target 依上下文而定,例如,table 和 chain 可能会设置 target 可用或不可用。规则里激活的 extensions 和匹配条件也影响 target 的可用性。
7 跳转到用户自定义 chain
这里要介绍一种特殊的非终止目标:跳转目标(jump target)。jump target 是跳转到其 他 chain 继续处理的动作。我们已经讨论了很多内置的 chain,它们和调用它们的 netfilter hook 紧密联系在一起。然而,iptables 也支持管理员创建他们自己的用于管理 目的的 chain。
向用户自定义 chain 添加规则和向内置的 chain 添加规则的方式是相同的。不同的地方 在于,用户定义的 chain 只能通过从另一个规则跳转(jump)到它,因为它们没有注册到 netfilter hook。
用户定义的 chain 可以看作是对调用它的 chain 的扩展。例如,用户定义的 chain 在结 束的时候,可以返回 netfilter hook,也可以继续跳转到其他自定义 chain。
这种设计使框架具有强大的分支功能,使得管理员可以组织更大更复杂的网络规则。
8 IPTables 和连接跟踪
在讨论 raw table 和 匹配连接状态的时候,我们介绍了构建在 netfilter 之上的连 接跟踪系统。连接跟踪系统使得 iptables 基于连接上下文而不是单个包来做出规则判 断,给 iptables 提供了有状态操作的功能。
连接跟踪在包进入协议栈之后很快(very soon)就开始工作了。在给包分配连接之前所做 的工作非常少,只有检查 raw table 和一些基本的完整性检查。
跟踪系统将包和已有的连接进行比较,如果包所属的连接已经存在就更新连接状态,否则就 创建一个新连接。如果 raw table 的某个 chain 对包标记为目标是 NOTRACK,那这 个包会跳过连接跟踪系统。
连接的状态
连接跟踪系统中的连接状态有:
-
NEW:如果到达的包关连不到任何已有的连接,但包是合法的,就为这个包创建一个新连接。对 面向连接的(connection-aware)的协议例如 TCP 以及非面向连接的(connectionless )的协议例如 UDP 都适用 -
ESTABLISHED:当一个连接收到应答方向的合法包时,状态从NEW变成ESTABLISHED。对 TCP 这个合法包其实就是SYN/ACK包;对 UDP 和 ICMP 是源和目 的 IP 与原包相反的包 -
RELATED:包不属于已有的连接,但是和已有的连接有一定关系。这可能是辅助连接( helper connection),例如 FTP 数据传输连接,或者是其他协议试图建立连接时的 ICMP 应答包 -
INVALID:包不属于已有连接,并且因为某些原因不能用来创建一个新连接,例如无法 识别、无法路由等等 -
UNTRACKED:如果在rawtable 中标记为目标是UNTRACKED,这个包将不会进入连 接跟踪系统 -
SNAT:包的源地址被 NAT 修改之后会进入的虚拟状态。连接跟踪系统据此在收到 反向包时对地址做反向转换 -
DNAT:包的目的地址被 NAT 修改之后会进入的虚拟状态。连接跟踪系统据此在收到 反向包时对地址做反向转换
这些状态可以定位到连接生命周期内部,管理员可以编写出更加细粒度、适用范围更大、更 安全的规则。
9 总结
netfilter 包过滤框架和 iptables 防火墙是 Linux 服务器上大部分防火墙解决方案的基 础。netfilter 的内核 hook 和协议栈足够紧密,提供了包经过系统时的强大控制功能。 iptables 防火墙基于这些功能提供了一个灵活的、可扩展的、将策略需求转化到内核的方 法。理解了这些不同部分是如何联系到一起的,就可以使用它们控制和保护你的的服务器环 境。
想了解更多 iptables 使用方式,参考这个教程 。