*NIX

March 3, 2008, 4:41 p.m.
posted by whitehat

Packet Processing in iptables



Packet Processing in iptables

All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation/ filtering chain.

There are three tables in total. The first is the mangle table, which is responsible for the alteration of quality of service bits in the TCP header. This is hardly used in a home or SOHO environment.

The second table is the filter queue, which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules:

  • FORWARD chain: Filters packets to servers protected by the firewall.

  • INPUT chain: Filters packets destined for the firewall.

  • OUTPUT chain: Filters packets originating from the firewall.

The third table is the nat queue, which is responsible for network address translation. It has two built-in chains:

  • PREROUTING chain: NATs packets when the destination address of the packet needs to be changed.

  • POSTROUTING chain: NATs packets when the source address of the packet needs to be changed.

Figure provides more details on each queue.

Processing for Packets Routed by the Firewall

Queue Type

Queue Function

Packet Transformation Chain in Queue

Chain Function

filter

Packet filtering

FORWARD

Filters packets to servers accessible by another NIC on the firewall.

INPUT

Filters packets destined to the firewall.

OUTPUT

Filters packets originating from the firewall.

NAT

Network Address Translation

PREROUTING

Address translation occurs before routing. Facilitates the transformation of the destination IP address to be compatible with the firewall's routing table. Used with NAT of the destination IP address, also known as destination NAT or DNAT.

POSTROUTING

Address translation occurs after routing. This implies that there was no need to modify the destination IP address of the packet as in prerouting. Used with NAT of the source IP address using either one to one or many to one NAT. This is known as source NAT or SNAT.

  

OUTPUT

Network address translation for packets generated by the firewall. (Rarely used in SOHO environments.)

mangle

TCP header modification

PREROUTING, POSTROUTING, OUTPUT, INPUT, FORWARD

Modification of the TCP packet quality of service bits before routing occurs. (Rarely used in SOHO environments.)


You need to specify the table and the chain for each firewall rule you create. There is an exception: Most rules are related to filtering, so iptables assumes that any chain that's defined without an associated table will be a part of the filter table. The filter table is therefore the default.

To help make this clearer, take a look at the way packets are handled by iptables. In Figure a TCP packet from the Internet arrives at the firewall's interface on Network A to create a data connection.

Figure. A diagram of the iptables packet flow.

[View full size image]


The packet is first examined by your rules in the mangle table's PREROUTING chain, if any. It is then inspected by the rules in the nat table's PREROUTING chain to see whether the packet requires DNAT. It is then routed.

If the packet is destined for a protected network, then it is filtered by the rules in the FORWARD chain of the filter table and, if necessary, the packet undergoes SNAT before arriving at Network B. When the destination server decides to reply, the packet undergoes the same sequence of steps.

If the packet is destined for the firewall itself, then it is filtered by the rules in the INPUT chain of the filter table before being processed by the intended application on the firewall. At some point, the firewall needs to reply. This reply is inspected by your rules in the OUTPUT chain of the mangle table, if any. The rules in the OUTPUT chain of the nat table determine whether address translation is required and the rules in the OUTPUT chain of the filter table are then inspected before the packet is routed back to the Internet.

It is now time to discuss the ways in which you add rules to these chains.

     Python   SQL   Java   php   Perl 
     game development   web development   internet   *nix   graphics   hardware 
     telecommunications   C++ 
     Flash   Active Directory   Windows