Browse Source

iptables

master
test2 5 years ago
parent
commit
ca6f2afd2d
  1. 2
      sec/ex-3_iptables.adoc
  2. 96
      sec/ex-3a_iptables-flow-chart.adoc

2
sec/ex-3_iptables.adoc

@ -126,7 +126,7 @@ Some packets
- while other packets are generated by local processes; hence start at **Local Process** and proceed downward through the flowchart. - while other packets are generated by local processes; hence start at **Local Process** and proceed downward through the flowchart.
A detailed explanation [https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TRAVERSINGOFTABLES here]. A detailed explanation http://docs.swarmlab.io/lab/sec/ex-3a_iptables-flow-chart.adoc[here].
==== ====
In the vast majority of use cases you won't need to use the **raw**, **mangle**, or **security** tables at all. In the vast majority of use cases you won't need to use the **raw**, **mangle**, or **security** tables at all.

96
sec/ex-3a_iptables-flow-chart.adoc

@ -0,0 +1,96 @@
= Iptables - Traversing of tables and chains!
Apostolos rootApostolos@swarmlab.io
// Metadata:
:description: Intro and Install
:keywords: sec, tcpdump
:data-uri:
:toc: right
:toc-title: Πίνακας περιεχομένων
:toclevels: 4
:source-highlighter: highlight
:icons: font
:sectnums:
include::header.adoc[]
{empty} +
== General
When a packet first enters the firewall, it hits the hardware and then gets passed on to the proper device driver in the kernel.
Then the packet starts to go through a series of steps in the kernel, before it is either sent to the correct application (locally), or forwarded to another host - or whatever happens to it.
== Destination local host (our own machine)
.Destination local host
|===
|Step| Table| Chain| Comment
|1| | | On the wire (e.g., Internet)
|2| | | Comes in on the interface (e.g., eth0)
|3| raw| PREROUTING| This chain is used to handle packets before the connection tracking takes place. It can be used to set a specific connection not to be handled by the connection tracking code for example.
|4| | | This is when the connection tracking code takes place as discussed in the The state machine chapter.
|5| mangle| PREROUTING| This chain is normally used for mangling packets, i.e., changing TOS and so on.
|6| nat| PREROUTING| This chain is used for DNAT mainly. Avoid filtering in this chain since it will be bypassed in certain cases.
|7| | | Routing decision, i.e., is the packet destined for our local host or to be forwarded and where.
|8| mangle| INPUT| At this point, the mangle INPUT chain is hit. We use this chain to mangle packets, after they have been routed, but before they are actually sent to the process on the machine.
|9| filter| INPUT| This is where we do filtering for all incoming traffic destined for our local host. Note that all incoming packets destined for this host pass through this chain, no matter what interface or in which direction they came from.
|10| | | Local process or application (i.e., server or client program).
|===
[appendix]
== How to use iptables
Shorewall is not the easiest to use of the available iptables configuration tools but I believe that it is the most flexible and powerful.
It can handle complex and fast changing network environments.
It needs multiple configuration files, even for simple setups.
Suitable for powerusers! - Most likely there are a lot of these among our Students :-)
Shorewall is very popular!
https://wiki.archlinux.org[Origin]
:hardbreaks:
{empty} +
{empty} +
{empty}
:!hardbreaks:
'''
.Reminder
[NOTE]
====
:hardbreaks:
Caminante, no hay camino,
se hace camino al andar.
Wanderer, there is no path,
the path is made by walking.
*Antonio Machado* Campos de Castilla
====
Loading…
Cancel
Save