Netfilter
Well, let's consider what you already know, that data communication, that is, the exchange and transfer of information, or data, takes place in chunks and not as a continuous flow. If you do not, the article about networking could help you.
OpenWrt relies on Netfilter to handle network packets. It is far more than a simple firewall and very powerful! Usually the user space programs iptables, ip6tables, ebtables or arptables are utilized to configure the handling of network packets. Please see this scheme Netfilter Components by Jan Engelhardt about some overview over current and future netfilter components.
iptables
- iptables for the user space program
iptables
| Name | Version | Size in Bytes | Description |
|---|---|---|---|
| iptables | 1.4.10-1 | 41764 | IPv4 firewall administration tool. Includes support for: - comment - limit - LOG - mac - multiport - REJECT - TCPMSS |
| libxtables | 1.4.10-1 | 10847 | IPv4/IPv6 firewall - shared xtables library |
| libiptc | 1.4.10-1 | 15689 | IPv4/IPv6 firewall - shared libiptc library |
| kmod-ipt-core | 2.6.32.27-1 | 29463 | Netfilter core kernel modules Includes: - comment (2.6) - limit - LOG - mac - multiport - REJECT - TCPMSS |
ip6tables
- ip6tables for the user space program
ip6tables
| Name | Version | Size in Bytes | Description |
|---|---|---|---|
| ip6tables | 1.4.10-1 | 40255 | IPv6 firewall administration tool |
| libxtables | 1.4.10-1 | 10847 | IPv4/IPv6 firewall - shared xtables library |
| libiptc | 1.4.10-1 | 15689 | IPv4/IPv6 firewall - shared libiptc library |
| kmod-ip6tables | 2.6.32.27-1 | 34789 | Netfilter IPv6 firewalling support |
| kmod-ipv6 | 2.6.32.27-1 | 156851 | Kernel modules for IPv6 support |
ebtables
- ebtables] for the user space program
ebtables
| Name | Version | Size in Bytes | Description |
|---|---|---|---|
| ebtables | 2.0.9-2-1 | 51727 | The ebtables program is a filtering tool for a bridging firewall. The filtering is focussed on the Link Layer Ethernet frame fields. Apart from filtering, it also gives the ability to alter the Ethernet MAC addresses and implement a brouter. |
| kmod-ebtables | 2.6.32.27-1 | 20859 | ebtables is a general, extensible frame/packet identification framework. It provides you to do Ethernet filtering/NAT/brouting on the Ethernet bridge. |
| kmod-ebtables-ipv4 | 2.6.32.27-1 | 5376 | This option adds the IPv4 support to ebtables, which allows basic IPv4 header field filtering, ARP filtering as well as SNAT, DNAT targets. |
| kmod-ebtables-ipv6 | 2.6.32.27-1 | 2520 | This option adds the IPv6 support to ebtables, which allows basic IPv6 header field filtering and target support. |
| kmod-ebtables-watchers | 2.6.32.27-1 | 7289 | This option adds the log watchers, that you can use in any rule in any ebtables table. |
arptables
- arptables for the user space program
arptables
| Name | Version | Size in Bytes | Description |
|---|---|---|---|
| arptables | 0.0.3-4-1 | 21321 | ARP firewalling software |
| kmod-arptables | 2.6.32.27-1 | 9102 | Kernel modules for ARP firewalling |
nftables
nftables is the successor of all of the above user space programs and shall replace them one day. Today it is in Alpha-Status: nftables and http://people.netfilter.org/kaber/weblog/2008/08/20/:
- Unification of filters (socket filter, pktsched, netfilter)!
- Similar to BPF but more sophisticated
- Contains high-level objects, like dictionaries
- Hash table, trie, bitmaps, etc.
- Rule set optimizations in userspace bevor the hook is passed to kernel
- Need to retain existing netfilter bits “forever”
ipset
- http://ipset.netfilter.org/ was mainlined in Linux Kernel Version 2.6.39
Modules for match/TARGET
To quickly obtain a current overview type: opkg list iptables-mod-*. Install the user space module, kernel modules are listed as dependencies and will be installed as well.
 | Since r30676 iptables-mod-conntrack and iptables-mod-nat are folded into the default package iptables to save on storage memory. |
| Name | Vanilla | Size in Bytes | Description |
|---|---|---|---|
| User Space Modules | |||
| iptables-mod-chaos | 2216 | CHAOS iptables extension | |
| iptables-mod-condition | 2356 | Condition iptables extension | |
| iptables-mod-conntrack | * | 3228 | Basic iptables extensions for connection tracking. Includes: - state - raw - NOTRACK |
| iptables-mod-conntrack-extra | 15138 | Extra iptables extensions for connection tracking. Includes: - libipt_conntrack - libipt_helper - libipt_connmark/CONNMARK | |
| iptables-mod-delude | 1905 | DELUDE iptables extension | |
| iptables-mod-extra | 7125 | Other extra iptables extensions. Includes: - libipt_owner - libipt_physdev - libipt_pkttype - libipt_recent recent | |
| iptables-mod-filter | 15347 | iptables extensions for packet content inspection. Includes: - libipt_string - libipt_layer7 | |
| iptables-mod-hashlimit | 5554 | iptables extensions for hashlimit matching Includes: - libipt_hashlimit | |
| iptables-mod-imq | 2220 | iptables extension for IMQ support. Includes: - libipt_IMQ, use it's successor ⇒ kmod-ifb |
|
| iptables-mod-ipopt | 22438 | iptables extensions for matching/changing IP packet options. Includes: - libipt_CLASSIFY - libipt_dscp/DSCP - libipt_ecn/ECN - libipt_length - libipt_mac - libipt_mark/MARK - libipt_statistic - libipt_tcpmms - libipt_tos/TOS - libipt_ttl/TTL - libipt_unclean | |
| iptables-mod-ipp2p | 3315 | IPP2P iptables extension | |
| iptables-mod-iprange | 3627 | iptables extensions for matching ip ranges. Includes: - libipt_iprange | |
| iptables-mod-ipsec | 7002 | iptables extensions for matching ipsec traffic. Includes: - libipt_ah - libipt_esp - libipt_policy | |
| iptables-mod-ipset | 5673 | IPset iptables extensions. Includes: - libipt_set - libipt_SET | |
| iptables-mod-nat | * | 5105 | iptables extensions for basic NAT targets. Includes: - MASQUERADE - SNAT - DNAT |
| iptables-mod-nat-extra | 3877 | iptables extensions for extra NAT targets. Includes: - REDIRECT | |
| iptables-mod-rawnat | 3179 | RAWNAT iptables extension | |
| iptables-mod-tarpit | 1903 | TARPIT iptables extension | |
| iptables-mod-tproxy | 3297 | Transparent proxy iptables extensions. Includes: - libxt_socket - libxt_TPROXY | |
| iptables-mod-ulog | 3189 | iptables extensions for user-space packet logging. Includes: - libipt_ULOGro | |
| Kernel Space Modules | |||
| kmod-ipt-chaos | 3535 | CHAOS netfilter module | |
| kmod-ipt-compat-xtables | 3531 | API compatibilty layer netfilter module | |
| kmod-ipt-condition | 3750 | Condition netfilter module | |
| kmod-ipt-conntrack | 1 | 39749 | Netfilter (IPv4) kernel modules for connection tracking Includes: - conntrack - defrag (2.6) - iptables_raw - NOTRACK - state |
| kmod-ipt-conntrack-extra | 11672 | Netfilter (IPv4) extra kernel modules for connection tracking Includes: - connbytes - connmark/CONNMARK - conntrack - helper - recent | |
| kmod-ipt-core | 1 | 29463 | Netfilter core kernel modules Includes: - comment (2.6) - limit - LOG - mac - multiport - REJECT - TCPMSS |
| kmod-ipt-delude | 2775 | DELUDE netfilter module | |
| kmod-ipt-extra | 4510 | Other Netfilter (IPv4) kernel modules Includes: - condition (2.4 only) - owner - physdev (if bridge support was enabled in kernel) - pkttype - quota | |
| kmod-ipt-filter | 10648 | Netfilter (IPv4) kernel modules for packet content inspection Includes: - layer7 - string | |
| kmod-ipt-hashlimit | 7257 | Kernel modules support for the hashlimit bucket match module | |
| kmod-ipt-imq | 5418 | Kernel support for Intermediate Queueing devices, use it's successor ⇒ kmod-ifb |
|
| kmod-ipt-ipopt | 11940 | Netfilter (IPv4) modules for matching/changing IP packet options Includes: - CLASSIFY - dscp/DSCP - ecn/ECN - hl/HL (2.6.30 and later) - length - mark/MARK - statistic (2.6) - tcpmss - time - tos/TOS (prior to 2.6.25) - ttl/TTL (prior to 2.6.30) - unclean | |
| kmod-ipt-ipp2p | 6606 | IPP2P netfilter module | |
| kmod-ipt-iprange | 2212 | Netfilter (IPv4) module for matching ip ranges Includes: - iprange | |
| kmod-ipt-ipsec | 4179 | Netfilter (IPv4) modules for matching IPSec packets Includes: - ah - esp - policy (2.6) | |
| kmod-ipt-ipset | 44012 | IPset netfilter modules | |
| kmod-ipt-nat | 1 | 13722 | Netfilter (IPv4) kernel modules for basic NAT targets Includes: - MASQUERADE |
| kmod-ipt-nat-extra | 2605 | Netfilter (IPv4) kernel modules for extra NAT targets Includes: - MIRROR (2.4) - NETMAP - REDIRECT | |
| kmod-ipt-nathelper | 1 | 11680 | Default Netfilter (IPv4) Conntrack and NAT helpers Includes: - ftp - irc - tftp |
| kmod-ipt-nathelper-extra | 55210 | Extra Netfilter (IPv4) Conntrack and NAT helpers Includes: - amanda - h323 - mms - pptp (2.6) - proto_gre (2.6) - rtsp - sip (2.6) - snmp_basic | |
| kmod-ipt-queue | 5617 | Netfilter (IPv4) module for user-space packet queueing Includes: - QUEUE | |
| kmod-ipt-rawnat | 3690 | RAWNAT netfilter module | |
| kmod-ipt-rawpost | 2155 | RAWPOST netfilter module | |
| kmod-ipt-tarpit | 3101 | TARPIT netfilter module | |
| kmod-ipt-tproxy | 4871 | Kernel modules for Transparent Proxying | |
| kmod-ipt-ulog | 4673 | Netfilter (IPv4) module for user-space packet logging Includes: - ULOG | |
| kmod-iptunnel4 | 2828 | Kernel modules for IPv4 tunneling | |
| kmod-iptunnel6 | 2856 | Kernel modules for IPv6 tunnelingr | |
Installation
Netfilter can be included into the kernel or installed later on as module. The same is true for the optional kernel modules. The user space modules and programs can be installed later on or included in the image.
Always install iptables-mod-*, that way the corresponding kmod-ipt-* is being installed as well.
Using this wiki only, you can go to vanilla.packages and see what packages are usually contained in a vanilla image. If your have OpenWrt already running, try some opkg-magic like: opkg list-installed | grep iptables and opkg list iptables-mod* to look for modules with matches and TARGETs you may want to utilize.
For example the Target CLASSIFY, or the match length are both included in the packages: iptables-mod-ipopt and kmod-ipt-ipopt. If you want to use them, you have to install the packages first 
Explanation
Please have a look at this most excellent scheme: Netfilter Packet Flow by Jan Engelhardt to understand how a packet traverses netfilter.
Note: Do not make the mistake to place your LAN on the left side and the Internet on the right side in your mind. They are both on both sides! When a packet enters the Linux Kernel (= that is the ingress buffer of the NIC /WNIC) it always comes in on the left side, regardless on which interface it arrives. It traverses the network stack and then netfilter and when it leaves, it always leaves at the right side.
The green stuff is the domain of iptables and ip6tables, while the blue stuff is being handled by ebtables. The names raw, mangle, nat and filter name tables, while the names INPUT, PREROUTING, etc. name the default CHAINs. See below!
While one any packet traverses netfilter, netfilter looks for rules that match that network packet. When a rules matches a packet, that rule is being applied to that particular packet. This means the packet is being send to the TARGET specified in that rule.
As soon as, the network packet is matching a rule, this rule is being applied to it, and the packet stops traversing that table of netfilter! But there are of course a couple of exceptions to this behaviour, e.g. the TARGETs -j LOG, -j CUSTOM_CHAIN or -j MARK.
Configuration
iptables, ip6tables, ebtables, arptables and ipset are pure user space command line tools. Utilize them as follows:
root@openwrt:~# iptables -A INPUT -j ACCEPT -p tcp --dport 53 #------------------- accept incoming packets on tcp port 53 (DNS) root@openwrt:~# iptables -A FORWARD -j REJECT -p udp --dport 135:139 #------------- Block outgoing Windows Share |
iptables is a user space program, that is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Have no fear, iptables is very user friendly, well documented and easy to understand: per invocation you can set up one rule aka (chain) link, this will be checked for mistakes and if none are found, the hook will be written to RAM and is active immediately. An iptables command always commits the table the chain belongs to, a command, then the chain this hook belongs to and then the match and the TARGET. There is always exactly one TARGET, but multiple matches are possible.
| Table Command Chain | match and TARGET |
|---|---|
iptables -t filter -A INPUT | -j ACCEPT -p tcp --dport 53 #——————- accept incoming packets on tcp port 53 (DNS) |
iptables -t filter -A FORWARD | -j REJECT -p udp --dport 135:139 #————- Block outgoing Windows Share |
iptables -t raw -A INPUT | -i $IF_LAN -s $NET_LAN -p tcp --dport 32777:32780 -j NOTRACK #———- don't track nfs |
iptables -t nat -A POSTROUTING | -o eth0.2 -d 169.254.1.0/24 -j SNAT --to-source 169.254.1.1 #– Alles ans Modem auf zweite Router-IP naten |
iptables -t nat -A POSTROUTING | -o $IF_DSL -j MASQUERADE #———- Alles ins Internet auf Router-IP naten |
iptables -t mangle -A POSTROUTING | -o $IF_DSL -s $IP_USER2 -j TC_USER2 |
iptables -t mangle -A TC_USER4 | -j CLASSIFY –set-class 1:101 -p udp -m length --length :400 |
iptables -t mangle -A TC_USER1 | -j CLASSIFY --set-class 1:103 -m tos --tos Maximize-Throughput |
iptables -t raw -A INPUT | ! -i $IF_DSL -j NOTRACK #— don't track anything NOT incoming on interface in variable $IF_DSL |
iptables -t mangle -A POSTROUTING | -o $IF_DSL ! -s 192.168.0.0/16 -j TEE --gateway 192.168.1.254 #— forward a copy to gateway-IP |
iptables -t mangle -A PREROUTING | -i $IF_DSL -d 192.168.0.0/16 -j TEE --gateway 192.168.1.254 #— forward a copy to gateway-IP |
iptables -t mangle -A PREROUTING | -m connbytes --connbytes 504857: --connbytes-dir both --connbytes-mode bytes -j CLASSIFY --set-class 1:303 #— count the Bytes of one connection |
Table: -t filter -t nat -t mangle -t raw
COMMAND: -A --append -D --delete -I --insert -R --replace -L --list -F --flush -Z --zero -N --new-chain -X --delete-chain -P --policy -E --rename-chain
Builtin Chains and user defined chains: INPUT OUTPUT FORWARD PREROUTING POSTROUTING user_defined_CHAIN_1
TARGET: ACCEPT DROP QUEUE RETURN BALANCE CLASSIFY CLUSTERIP CONNMARK CONNSECMARK CONNTRACK DNAT DSCP ECN IPMARK IPV4OPSSTRIP LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT ROUTE SAME SECMARK SET SNAT TARPIT TCPMSS TOS TRACE TTL ULOG XOR
Dependent on the kind of TARGET you need further parameters: -j MARK --set-mark 102
-j TEE reroute a copy of a packet
-j TARPIT
-j DELUDE does TCP handshake and the closes connection
match:
-i incoming interface, -o outgoing interface
-s source ip address, -d destination ip address
-p protocol, –dport destination port –sport source port
-m match: various matches are in different iptables-mod-* packages!
-m mac –mac-source xx:xx:xx:xx:xx:xx source MAC, note that MAC is layer2
-m mark –mark abc match a packet marked with abc
-m length –length :412 match all packets with a length of less then 412 Bytes
-m ttl –ttl-eq 12 -j LOG –log-prefix "IPT TTL=12 "
-m ttl –ttl-gt 12 -j LOG –log-prefix "IPT TTL>12 "
-m ttl –ttl-lt 12 -j LOG –log-prefix "IPT TTL<12 "
-m condition match a flag changeable from userspace
-m geoip match on countries
This were a very few examples only meant to give you the basic grasp of netfilter, which is a huge step! Now for a thorough documentation or for some detailed tutorials, please see the Notes.
Examples
You find some example shell scripts below:
IPv4
- netfilter.iptables.example1 very simple script for setting up NAT (IPv4 only, IPv6 has no NAT)
- netfilter.iptables.example2 simple script with filters (such an implementation is usually called a firewall)
- netfilter.iptables.example3 Protocol usage with iptables
IPv6
- netfilter.ip6tables.example1 Basic rules for empty ip6tables (like in firewall_v1) including tunnel support
ebtables
Troubleshooting
Notes
- Project Hompage http://www.netfilter.org/
- One of the best Tutorials http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html by Oskar Andreasson, incomplete, certain matches are missing
- A short HowTo-like help: http://www.akadia.com/services/pppoe_iptables.html
doc/howto/netfilter.txt · Last modified: 2012/02/22 15:26 by orca