You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

96 lines
2.7 KiB

= Iptables - Traversing of tables and chains!
Apostolos rootApostolos@swarmlab.io
// Metadata:
:description: Intro and Install
:keywords: sec, tcpdump
:data-uri:
:toc: right
:toc-title: Πίνακας περιεχομένων
:toclevels: 4
:source-highlighter: highlight
:icons: font
:sectnums:
include::header.adoc[]
{empty} +
== General
When a packet first enters the firewall, it hits the hardware and then gets passed on to the proper device driver in the kernel.
Then the packet starts to go through a series of steps in the kernel, before it is either sent to the correct application (locally), or forwarded to another host - or whatever happens to it.
== Destination local host (our own machine)
.Destination local host
|===
|Step| Table| Chain| Comment
|1| | | On the wire (e.g., Internet)
|2| | | Comes in on the interface (e.g., eth0)
|3| raw| PREROUTING| This chain is used to handle packets before the connection tracking takes place. It can be used to set a specific connection not to be handled by the connection tracking code for example.
|4| | | This is when the connection tracking code takes place as discussed in the The state machine chapter.
|5| mangle| PREROUTING| This chain is normally used for mangling packets, i.e., changing TOS and so on.
|6| nat| PREROUTING| This chain is used for DNAT mainly. Avoid filtering in this chain since it will be bypassed in certain cases.
|7| | | Routing decision, i.e., is the packet destined for our local host or to be forwarded and where.
|8| mangle| INPUT| At this point, the mangle INPUT chain is hit. We use this chain to mangle packets, after they have been routed, but before they are actually sent to the process on the machine.
|9| filter| INPUT| This is where we do filtering for all incoming traffic destined for our local host. Note that all incoming packets destined for this host pass through this chain, no matter what interface or in which direction they came from.
|10| | | Local process or application (i.e., server or client program).
|===
[appendix]
== How to use iptables
Shorewall is not the easiest to use of the available iptables configuration tools but I believe that it is the most flexible and powerful.
It can handle complex and fast changing network environments.
It needs multiple configuration files, even for simple setups.
Suitable for powerusers! - Most likely there are a lot of these among our Students :-)
Shorewall is very popular!
https://wiki.archlinux.org[Origin]
:hardbreaks:
{empty} +
{empty} +
{empty}
:!hardbreaks:
'''
.Reminder
[NOTE]
====
:hardbreaks:
Caminante, no hay camino,
se hace camino al andar.
Wanderer, there is no path,
the path is made by walking.
*Antonio Machado* Campos de Castilla
====