Netfilter/Nftables

Netfilter is the packet filtering framework inside the Linux kernel. It allows for packet filtering, network address [and port] translation (NA[P]T) and other packet manipulations. It is far more than a simple firewall and very powerful! For Nftables, see Nftables further down this wikipage.

Usually the user space programs iptables, ip6tables, ebtables or arptables are utilized to configure the handling of network packets. Please see this scheme Netfilter Components by Jan Engelhardt about some overview over current and future netfilter components.

Note1: In OpenWrt bridge firewalling is disabled by default. It can be enabled by editing /etc/sysctl.conf:
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=1
and then reloading the configuration with
sysctl -p
This is required by the netfilter module "physdev" and also by ebtables

Installation

Netfilter is included in the kernel and does not have to be installed. The user space programs and the modules are packed into opkg packages. Install the ones you need. Always install iptables-mod-*, that way the corresponding kmod-ipt-* is being installed as well. See for available OPKG Netfilter Packages

Explanation

Please have a look at this most excellent scheme: Netfilter Packet Flow by Jan Engelhardt to understand how a packet traverses netfilter. The green stuff is the domain of iptables and ip6tables, while the blue stuff is being handled by ebtables.

Do not make the mistake to place your LAN on the left side and the Internet on the right side in your mind. They are both on both sides! When a packet enters the Linux Kernel (= that is the ingress buffer of the NIC /WNIC) it always comes in on the left side, regardless on which interface it arrives. It traverses the network stack and then netfilter and when it leaves, it always leaves at the right side. While the packet traverses netfilter, netfilter looks for rules that match that network packet. When a rules matches a packet, that rule is being applied to that particular packet. This means the packet is being send to the TARGET specified in that rule. As soon as the network packet is matching a rule, this rule is being applied to it, and the packet stops traversing that table of netfilter! There are few exceptions to this behavior, e.g. the TARGETs -j LOG, -j CUSTOM_CHAIN or -j MARK.

Configuration

Netfilter is part of the Linux kernel. The IP packet filter rules in the Linux kernel are being configured by the user space command line tools of netfilter: iptables, ip6tables, ebtables, arptables and ipset. Utilize them as follows:

root@openwrt:~# iptables -A INPUT -j ACCEPT -p tcp --dport  53 #------------------- accept incoming packets on tcp port 53 (DNS)
root@openwrt:~# iptables -A FORWARD -j REJECT -p udp --dport 135:139 #------------- Block outgoing Windows Share
Note: All rules can contain a FQDN (Fully qualified domain name) instead of an IP addresses. But the FQDN will be resolved to IP addresses when the rule is executed and rules will be created using these IP addresses! Thus, if there is a DNS update, the IP addresses resolved at execution time may not longer match the FQDN.
However such a functionality could be realized with ipset and ipset-dns.

Per invocation you can set up only one rule; this will be checked for mistakes and if none are found, the hook will be written to RAM and is active immediately. An iptables/ip6tables command is composed of two parts: parts one always commits the table, a command, and the chain this particular rule belongs to; part two specifies the match and the TARGET. There is always exactly one TARGET, but multiple matches are possible.

Table Command Chain match and TARGET
iptables -t filter -A INPUT -j ACCEPT -p tcp --dport 53 #------------------- accept all incoming packets on TCP port 53 (DNS)
iptables -t filter -A FORWARD -j REJECT -p udp --dport 135:139 #---------------- Block outgoing NetBIOS (Windows Share)
iptables -t filter -A FORWARD -p tcp --dport 22 -m physdev --physdev-in wlan0 --physdev-out eth0.3 -j LOG --log-prefix "22 on wlan" #---- log wlan-clients attempts on ssh
iptables -t nat -A PREROUTING -i $LAN -p tcp --dport 53 -j REDIRECT --to-port 53 #---------------- redirect DNS queries to self on TCP
iptables -t nat -A PREROUTING -i $LAN -p udp --dport 53 -j REDIRECT --to-port 53 #---------------- redirect DNS queries to self on UDP
iptables -t nat -A POSTROUTING -o eth0.2 -d 169.254.1.0/24 -j SNAT --to-source 169.254.1.1 #------ Source-NAT packets with specified destination to specified IP address
iptables -t nat -A POSTROUTING -o $IF_DSL -j MASQUERADE #------------ Source-NAT all Packet leaving on Interface $IF_DSL to the IP address of the router on that Interface
iptables -t mangle -A POSTROUTING -o $IF_DSL -s $IP_USER2 -j TC_USER2 #------------------------------- jump to custom user chain TC_USER2
iptables -t mangle -A TC_USER4 -j CLASSIFY --set-class 1:101 -p udp -m length --length :400
iptables -t mangle -A TC_USER1 -j CLASSIFY --set-class 1:103 -m tos --tos Maximize-Throughput
iptables -t mangle -A POSTROUTING -o $IF_DSL ! -s 192.168.0.0/16 -j TEE --gateway 192.168.1.254 #----- forward a copy to gateway-IP
iptables -t mangle -A PREROUTING -i $IF_DSL -d 192.168.0.0/16 -j TEE --gateway 192.168.1.254 #------- forward a copy to gateway-IP
iptables -t mangle -A PREROUTING -m connbytes --connbytes 504857: --connbytes-dir both --connbytes-mode bytes -j CLASSIFY --set-class 1:303 #---- count the Bytes of one connection
iptables -t raw -A INPUT ! -i $IF_DSL -j CT --notrack #-------------- don't track anything NOT incoming on interface in variable $IF_DSL
iptables -t raw -A INPUT -i $IF_LAN -s $NET_LAN -p tcp --dport 32777:32780 -j CT --notrack #------ don't track NFS

Table: -t filter -t nat -t mangle -t raw

COMMAND: -A --append -D --delete -I --insert -R --replace -L --list -F --flush -Z --zero -N --new-chain -X --delete-chain -P --policy -E --rename-chain

Builtin Chains and user defined chains: INPUT OUTPUT FORWARD PREROUTING POSTROUTING user_defined_CHAIN_1

TARGET: ACCEPT DROP QUEUE RETURN BALANCE CLASSIFY CLUSTERIP CONNMARK CONNSECMARK CONNTRACK DNAT DSCP ECN IPMARK IPV4OPSSTRIP LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE CT REDIRECT REJECT ROUTE SAME SECMARK SET SNAT TARPIT TCPMSS TOS TRACE TTL ULOG XOR

Dependent on the kind of TARGET you need further parameters: -j MARK --set-mark 102
-j TEE reroute a copy of a packet
-j TARPIT
-j DELUDE does TCP handshake and the closes connection

match: -i incoming interface, -o outgoing interface
-s source ip address, -d destination ip address
-p protocol, –dport destination port –sport source port
-m match: various matches are in different iptables-mod-* packages!
-m mac –mac-source xx:xx:xx:xx:xx:xx source MAC, note that MAC is layer2
-m mark –mark abc match a packet marked with abc
-m length –length :412 match all packets with a length of less then 412 Bytes
-m ttl –ttl-eq 12 -j LOG –log-prefix "IPT TTL=12 "
-m ttl –ttl-gt 12 -j LOG –log-prefix "IPT TTL>12 "
-m ttl –ttl-lt 12 -j LOG –log-prefix "IPT TTL<12 "
-m condition match a flag changeable from userspace
-m geoip match on countries

This were a very few examples only meant to give you the basic grasp of netfilter, which is a huge step! Now for a thorough documentation or for some detailed tutorials, please see the Notes.

Examples

You find some example shell scripts below:

OPKG Netfilter Packages

User space programs

iptables

Name Version Size in Bytes Description
iptables 1.4.10-1 41764 IPv4 firewall administration tool. Manpage: iptables
libxtables 1.4.10-1 10847 IPv4/IPv6 firewall - shared xtables library
libiptc 1.4.10-1 15689 IPv4/IPv6 firewall - shared libiptc library
kmod-ipt-core 2.6.32.27-1 29463 Netfilter core kernel modules

ip6tables

Name Version Size in Bytes Description
ip6tables 1.4.10-1 40255 IPv6 firewall administration tool. Manpage: ip6tables
libxtables 1.4.10-1 10847 IPv4/IPv6 firewall - shared xtables library
libiptc 1.4.10-1 15689 IPv4/IPv6 firewall - shared libiptc library
kmod-ip6tables 2.6.32.27-1 34789 Netfilter IPv6 firewalling support
kmod-ipv6 2.6.32.27-1 156851 Kernel modules for IPv6 support

ebtables

ebtables is no longer available in official versions due to performance implications (https://forum.openwrt.org/viewtopic.php?pid=94379#p94379). Please employ OpenWrt Buildroot if you need ebtables support.
According to jow physdev-module for iptables is available for 12.09 and any snapshot builds since then
Name Version Size in Bytes Description
ebtables 2.0.9-2-1 51727 The ebtables program is a filtering tool for a bridging firewall. The filtering is focussed on the Link Layer Ethernet frame fields. Apart from filtering, it also gives the ability to alter the Ethernet MAC addresses and implement a brouter. Manpage: ebtables
kmod-ebtables 2.6.32.27-1 20859 ebtables is a general, extensible frame/packet identification framework. It provides you to do Ethernet filtering/NAT/brouting on the Ethernet bridge.
kmod-ebtables-ipv4 2.6.32.27-1 5376 This option adds the IPv4 support to ebtables, which allows basic IPv4 header field filtering, ARP filtering as well as SNAT, DNAT targets.
kmod-ebtables-ipv6 2.6.32.27-1 2520 This option adds the IPv6 support to ebtables, which allows basic IPv6 header field filtering and target support.
kmod-ebtables-watchers 2.6.32.27-1 7289 This option adds the log watchers, that you can use in any rule in any ebtables table.

arptables

Name Version Size in Bytes Description
arptables 0.0.3-4-1 21321 ARP firewalling software. Manpage: arptables
kmod-arptables 2.6.32.27-1 9102 Kernel modules for ARP firewalling

ipset

Name Version Size in Bytes Description
ipset 6.11-2 56149 IPset administration utility. Manpage: ipset, http://ipset.netfilter.org/
iptables-mod-ipset 1.4.10-4 5787 IPset iptables extensions
kmod-ipt-ipset 3.3.8+6.11-2 82830 IPset netfilter modules

nftables

nftables is the successor of netfilter. Its user space utility nft replaces the entire {ip,eb,arp,ip6}tables user space tool set. It still uses the netfilter architecture for complex extensions and is part of the netfilter project. The command-line user space utility is called nft and there is an API and library interface to it (libnftables). There is also an iptables to nft handle userspace conversion tool which will ease migration. nftables is a major departure in that there is no need for deep protocol awareness in the kernel modules as everything filter related is handled by a basic virtual machine.

The OpenWrt developers are aware of the nftables developments, and will migrate as soon as OpenWrt adopts a 3.13 kernel. Linux kernel version 3.13 was released 2014-01-20, Linux 3.12 released .. and no merge window yet .. and 4.0 plans?.

Modules for match/TARGET

To quickly obtain a current overview type: opkg list iptables-mod-*. Install the user space module, kernel modules are listed as dependencies and will be installed as well.

Since r30676 iptables-mod-conntrack and iptables-mod-nat are folded into the default package iptables to save on storage memory.
Name Vanilla Size in Bytes Description
User Space Modules
iptables-mod-chaos 2216 CHAOS iptables extension
iptables-mod-condition 2356 Condition iptables extension
iptables-mod-conntrack * 3228 Basic iptables extensions for connection tracking. Includes: - state - raw - NOTRACK
iptables-mod-conntrack-extra 15138 Extra iptables extensions for connection tracking. Includes: - libipt_conntrack - libipt_helper - libipt_connmark/CONNMARK
iptables-mod-delude 1905 DELUDE iptables extension
iptables-mod-extra 7125 Other extra iptables extensions. Includes: - libipt_owner - libipt_physdev - libipt_pkttype - libipt_recent recent
iptables-mod-filter 15347 iptables extensions for packet content inspection. Includes: - libipt_string - libipt_layer7
iptables-mod-hashlimit 5554 iptables extensions for hashlimit matching Includes: - libipt_hashlimit
iptables-mod-imq 2220 iptables extension for IMQ support. Includes: - libipt_IMQ, use it's successor ⇒ kmod-ifb
iptables-mod-ipopt 22438 iptables extensions for matching/changing IP packet options. Includes: - libipt_CLASSIFY - libipt_dscp/DSCP - libipt_ecn/ECN - libipt_length - libipt_mac - libipt_mark/MARK - libipt_statistic - libipt_tcpmss - libipt_tos/TOS - libipt_ttl/TTL - libipt_unclean
iptables-mod-ipp2p 3315 IPP2P iptables extension
iptables-mod-iprange 3627 iptables extensions for matching ip ranges. Includes: - libipt_iprange
iptables-mod-ipsec 7002 iptables extensions for matching ipsec traffic. Includes: - libipt_ah - libipt_esp - libipt_policy
iptables-mod-ipset 5673 IPset iptables extensions. Includes: - libipt_set - libipt_SET
iptables-mod-nat * 5105 iptables extensions for basic NAT targets. Includes: - MASQUERADE - SNAT - DNAT
iptables-mod-nat-extra 3877 iptables extensions for extra NAT targets. Includes: - REDIRECT
iptables-mod-rawnat 3179 RAWNAT iptables extension
iptables-mod-tarpit 1903 TARPIT iptables extension
iptables-mod-tproxy 3297 Transparent proxy iptables extensions. Includes: - libxt_socket - libxt_TPROXY
iptables-mod-ulog 3189 iptables extensions for user-space packet logging. Includes: - libipt_ULOGro
Kernel Space Modules
kmod-ipt-chaos 3535 CHAOS netfilter module
kmod-ipt-compat-xtables 3531 API compatibilty layer netfilter module
kmod-ipt-condition 3750 Condition netfilter module
kmod-ipt-conntrack 1 39749 Netfilter (IPv4) kernel modules for connection tracking Includes: - conntrack - defrag (2.6) - iptables_raw - NOTRACK - state
kmod-ipt-conntrack-extra 11672 Netfilter (IPv4) extra kernel modules for connection tracking Includes: - connbytes - connmark/CONNMARK - conntrack - helper - recent
kmod-ipt-core 1 29463 Netfilter core kernel modules Includes: - comment (2.6) - limit - LOG - mac - multiport - REJECT - TCPMSS
kmod-ipt-delude 2775 DELUDE netfilter module
kmod-ipt-extra 4510 Other Netfilter (IPv4) kernel modules Includes: - condition (2.4 only) - owner - physdev (if bridge support was enabled in kernel) - pkttype - quota
kmod-ipt-filter 10648 Netfilter (IPv4) kernel modules for packet content inspection Includes: - layer7 - string
kmod-ipt-hashlimit 7257 Kernel modules support for the hashlimit bucket match module
kmod-ipt-imq 5418 Kernel support for Intermediate Queueing devices, use it's successor ⇒ kmod-ifb
kmod-ipt-ipopt 11940 Netfilter (IPv4) modules for matching/changing IP packet options Includes: - CLASSIFY - dscp/DSCP - ecn/ECN - hl/HL (2.6.30 and later) - length - mark/MARK - statistic (2.6) - tcpmss - time - tos/TOS (prior to 2.6.25) - ttl/TTL (prior to 2.6.30) - unclean
kmod-ipt-ipp2p 6606 IPP2P netfilter module
kmod-ipt-iprange 2212 Netfilter (IPv4) module for matching ip ranges Includes: - iprange
kmod-ipt-ipsec 4179 Netfilter (IPv4) modules for matching IPSec packets Includes: - ah - esp - policy (2.6)
kmod-ipt-ipset 44012 IPset netfilter modules
kmod-ipt-nat 1 13722 Netfilter (IPv4) kernel modules for basic NAT targets Includes: - MASQUERADE
kmod-ipt-nat-extra 2605 Netfilter (IPv4) kernel modules for extra NAT targets Includes: - MIRROR (2.4) - NETMAP - REDIRECT
kmod-ipt-nathelper 1 11680 Default Netfilter (IPv4) Conntrack and NAT helpers Includes: - ftp - irc - tftp
kmod-ipt-nathelper-extra 55210 Extra Netfilter (IPv4) Conntrack and NAT helpers Includes: - amanda - h323 - mms - pptp (2.6) - proto_gre (2.6) - rtsp - sip (2.6) - snmp_basic
kmod-ipt-queue 5617 Netfilter (IPv4) module for user-space packet queueing Includes: - QUEUE
kmod-ipt-rawnat 3690 RAWNAT netfilter module
kmod-ipt-rawpost 2155 RAWPOST netfilter module
kmod-ipt-tarpit 3101 TARPIT netfilter module
kmod-ipt-tproxy 4871 Kernel modules for Transparent Proxying
kmod-ipt-ulog 4673 Netfilter (IPv4) module for user-space packet logging Includes: - ULOG
kmod-iptunnel4 2828 Kernel modules for IPv4 tunneling
kmod-iptunnel6 2856 Kernel modules for IPv6 tunnelingr

Notes

Back to top

doc/howto/netfilter.txt · Last modified: 2014/08/23 09:29 by hamy