User Tools

Site Tools


doc:howto:netfilter

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:netfilter [2013/07/11 12:26]
lorema
doc:howto:netfilter [2015/05/02 13:09] (current)
markues [nftables]
Line 1: Line 1:
-====== Netfilter ====== +====== Netfilter/​Nftables ​====== 
-[[http://​www.netfilter.org/​|Netfilter]] is the packet filtering framework inside the Linux kernel. It allows for packet filtering, network address [and port] translation (NA[P]T) and other packet manipulations. It is far more than a simple firewall and very powerful!+[[http://​www.netfilter.org/​|Netfilter]] is the packet filtering framework inside the [[wp>Linux kernel]]. It allows for packet filtering, network address [and port] translation (NA[P]T) and other packet manipulations. It is far more than a simple firewall and very powerful! ​For Nftables, see [[#​Nftables]] further down this wikipage.
  
 Usually the user space programs <color red>​**''​iptables''​**</​color>,​ <color red>​**''​ip6tables''​**</​color>,​ <color red>​**''​ebtables''​**</​color>​ or <color red>​**''​arptables''​**</​color>​ are utilized to //​configure//​ the handling of network packets. Please see this scheme **[[http://​upload.wikimedia.org/​wikipedia/​commons/​d/​dd/​Netfilter-components.svg|Netfilter Components]]** by Jan Engelhardt about some overview over current and future netfilter components. Usually the user space programs <color red>​**''​iptables''​**</​color>,​ <color red>​**''​ip6tables''​**</​color>,​ <color red>​**''​ebtables''​**</​color>​ or <color red>​**''​arptables''​**</​color>​ are utilized to //​configure//​ the handling of network packets. Please see this scheme **[[http://​upload.wikimedia.org/​wikipedia/​commons/​d/​dd/​Netfilter-components.svg|Netfilter Components]]** by Jan Engelhardt about some overview over current and future netfilter components.
  
-| {{:​meta:​icons:​tango:​dialog-information.png?​nolink}} | **//''​Note1'':​//** In OpenWrt bridge firewalling is disabled by default. It can be enabled by editing ''/​etc/​sysctl.conf'':​ <code bash>​net.bridge.bridge-nf-call-arptables=0+| {{:​meta:​icons:​tango:​dialog-information.png?​nolink}} | **''​Note1'':​** In OpenWrt bridge firewalling is disabled by default. It can be enabled by editing ''/​etc/​sysctl.conf'':​ <code bash>​net.bridge.bridge-nf-call-arptables=0
 net.bridge.bridge-nf-call-ip6tables=0 net.bridge.bridge-nf-call-ip6tables=0
-net.bridge.bridge-nf-call-iptables=1</​code>​ and then reloading the configuration with <code bash>​sysctl -p</​code>​This is required by the netfilter module "​physdev"​ and also by ebtables ​ |+net.bridge.bridge-nf-call-iptables=1</​code>​ and then reloading the configuration with <code bash>​sysctl -p</​code>​ This is required by the netfilter module "​physdev"​ and also by ebtables ​ |
  
 ===== Installation ===== ===== Installation =====
Line 14: Line 14:
 Please have a look at this most excellent scheme: **[[http://​upload.wikimedia.org/​wikipedia/​commons/​3/​37/​Netfilter-packet-flow.svg|Netfilter Packet Flow]]** by Jan Engelhardt to understand how a packet traverses netfilter. The green stuff is the domain of ''​iptables''​ and ''​ip6tables'',​ while the blue stuff is being handled by ''​ebtables''​. Please have a look at this most excellent scheme: **[[http://​upload.wikimedia.org/​wikipedia/​commons/​3/​37/​Netfilter-packet-flow.svg|Netfilter Packet Flow]]** by Jan Engelhardt to understand how a packet traverses netfilter. The green stuff is the domain of ''​iptables''​ and ''​ip6tables'',​ while the blue stuff is being handled by ''​ebtables''​.
  
-Do not make the mistake to place your LAN on the left side and the Internet on the right side in your mind. They are both on both sides! When a packet enters the Linux Kernel (= that is the ingress buffer of the [[wp>​Network interface controller|NIC]] /​[[wp>​Wireless network interface controller|WNIC]]) it always comes in on the left side, regardless on which [[doc:​networking:​network.interfaces|interface]] it arrives. It traverses the network stack and then netfilter and when it leaves, it always leaves at the right side. While the packet traverses netfilter, netfilter looks for rules that match that network packet. When a rules matches a packet, that rule is being applied to that particular packet. This means the packet is being send to the TARGET specified in that rule. As soon as the network packet ​is matching ​a rule, this rule is being applied to it, and the packet stops traversing that table of netfilter! There are few exceptions to this behavior, e.g. the TARGETs ''​-j LOG'',​ ''​-j CUSTOM_CHAIN''​ or ''​-j MARK''​.+Do not make the mistake to place your LAN on the left side and the Internet on the right side in your mind. They are both on both sides! When a packet enters the Linux Kernel (= that is the ingress buffer of the [[wp>​Network interface controller|NIC]] /​[[wp>​Wireless network interface controller|WNIC]]) it always comes in on the left side, regardless on which [[doc:​networking:​network.interfaces|interface]] it arrives. It traverses the network stack and then netfilter and when it leaves, it always leaves at the right side. While the packet traverses netfilter, netfilter looks for rules that match that network packet. When a rule matches a packet, that rule is being applied to that particular packet. This means the packet is being sent to the TARGET specified in that rule. As soon as the network packet ​matches ​a rule, this rule is applied to it, and the packet stops traversing that table of netfilter! There are few exceptions to this behavior, e.g. the TARGETs ''​-j LOG'',​ ''​-j CUSTOM_CHAIN''​ or ''​-j MARK''​.
  
 ===== Configuration ===== ===== Configuration =====
Line 23: Line 23:
 root@openwrt:​~#​ iptables -A FORWARD -j REJECT -p udp --dport 135:139 #​------------- Block outgoing Windows Share root@openwrt:​~#​ iptables -A FORWARD -j REJECT -p udp --dport 135:139 #​------------- Block outgoing Windows Share
 </​code>​ | </​code>​ |
 +
 +| {{:​meta:​icons:​tango:​dialog-information.png?​nolink}} | **''​Note:''​** All rules can contain a [[wp>​Fully qualified domain name|FQDN (Fully qualified domain name)]] instead of an IP addresses. But the FQDN will be resolved to IP addresses when the rule is executed and rules will be created using these IP addresses! Thus, if there is a DNS update, the IP addresses resolved at execution time may not longer match the FQDN.\\ However such a functionality could be realized with ''​ipset''​ and ''​[[doc:​uci:​ipset-dns]]''​. |
  
 Per invocation you can set up only one //rule//; this will be checked for mistakes and if none are found, the hook will be written to RAM and is active immediately. An iptables/​ip6tables command is composed of two parts: parts one always commits the <color LightSeaGreen>​table</​color>,​ a <color magenta>​command</​color>,​ and the <color green>​chain</​color>​ this particular rule belongs to; part two specifies the <color blue>​match</​color>​ and the <color red>​TARGET</​color>​. There is always exactly one TARGET, but multiple matches are possible. Per invocation you can set up only one //rule//; this will be checked for mistakes and if none are found, the hook will be written to RAM and is active immediately. An iptables/​ip6tables command is composed of two parts: parts one always commits the <color LightSeaGreen>​table</​color>,​ a <color magenta>​command</​color>,​ and the <color green>​chain</​color>​ this particular rule belongs to; part two specifies the <color blue>​match</​color>​ and the <color red>​TARGET</​color>​. There is always exactly one TARGET, but multiple matches are possible.
Line 30: Line 32:
 | ''​**iptables** <color LightSeaGreen>​-t filter</​color>​ <color magenta>​-A</​color>​ <color green>​FORWARD</​color>''​|''<​color red>-j REJECT</​color>​ <color blue>-p udp %%-%%-dport 135:​139</​color>​ <color grey>#​%%----------------%% Block outgoing NetBIOS (Windows Share) </​color>''​ | | ''​**iptables** <color LightSeaGreen>​-t filter</​color>​ <color magenta>​-A</​color>​ <color green>​FORWARD</​color>''​|''<​color red>-j REJECT</​color>​ <color blue>-p udp %%-%%-dport 135:​139</​color>​ <color grey>#​%%----------------%% Block outgoing NetBIOS (Windows Share) </​color>''​ |
 | ''​**iptables** <color LightSeaGreen>​-t filter</​color>​ <color magenta>​-A</​color>​ <color green>​FORWARD</​color>''​|''<​color blue>-p tcp %%-%%-dport 22 -m physdev %%-%%-physdev-in wlan0 %%-%%-physdev-out eth0.3 </​color>​ <color red>-j LOG %%-%%-log-prefix "22 on wlan"</​color>​ <color grey>#​%%----%% log wlan-clients attempts on ssh</​color>''​ | | ''​**iptables** <color LightSeaGreen>​-t filter</​color>​ <color magenta>​-A</​color>​ <color green>​FORWARD</​color>''​|''<​color blue>-p tcp %%-%%-dport 22 -m physdev %%-%%-physdev-in wlan0 %%-%%-physdev-out eth0.3 </​color>​ <color red>-j LOG %%-%%-log-prefix "22 on wlan"</​color>​ <color grey>#​%%----%% log wlan-clients attempts on ssh</​color>''​ |
-| ''​**iptables** <color LightSeaGreen>​-t nat</​color>​ <color magenta>​-A</​color>​ <color green>​PREROUTING</​color>''​|''<​color blue>-i $LAN -p tcp %%-%%-dport 53</​color>​ <color red>​-j ​DNAT %%-%%-to-destination 127.0.0.1:53</​color>​ <color grey>#-%%-%%redirect DNS queries to self on TCP </​color>''​ | +| ''​**iptables** <color LightSeaGreen>​-t nat</​color>​ <color magenta>​-A</​color>​ <color green>​PREROUTING</​color>''​|''<​color blue>-i $LAN -p tcp %%-%%-dport 53</​color>​ <color red>​-j ​REDIRECT ​%%--%%to-port 53</​color>​ <color grey>#%%----------------%% redirect DNS queries to self on TCP </​color>''​ | 
-| ''​**iptables** <color LightSeaGreen>​-t nat</​color>​ <color magenta>​-A</​color>​ <color green>​PREROUTING</​color>''​|''<​color blue>-i $LAN -p udp %%-%%-dport 53</​color>​ <color red>​-j ​DNAT %%-%%-to-destination 127.0.0.1:53</​color>​ <color grey>#-%%-%%redirect DNS queries to self on UDP</​color>''​ |+| ''​**iptables** <color LightSeaGreen>​-t nat</​color>​ <color magenta>​-A</​color>​ <color green>​PREROUTING</​color>''​|''<​color blue>-i $LAN -p udp %%-%%-dport 53</​color>​ <color red>​-j ​REDIRECT ​%%--%%to-port 53</​color>​ <color grey>#%%----------------%% redirect DNS queries to self on UDP</​color>''​ |
 | ''​**iptables** <color LightSeaGreen>​-t nat</​color>​ <color magenta>​-A</​color>​ <color green>​POSTROUTING</​color>''​|''<​color blue>-o eth0.2 ​ -d 169.254.1.0/​24</​color>​ <color red>-j SNAT %%-%%-to-source 169.254.1.1</​color>​ <color grey>#​%%------%% Source-NAT packets with specified destination to specified IP address</​color>''​ | | ''​**iptables** <color LightSeaGreen>​-t nat</​color>​ <color magenta>​-A</​color>​ <color green>​POSTROUTING</​color>''​|''<​color blue>-o eth0.2 ​ -d 169.254.1.0/​24</​color>​ <color red>-j SNAT %%-%%-to-source 169.254.1.1</​color>​ <color grey>#​%%------%% Source-NAT packets with specified destination to specified IP address</​color>''​ |
 | ''​**iptables** <color LightSeaGreen>​-t nat</​color>​ <color magenta>​-A</​color>​ <color green>​POSTROUTING</​color>''​|''<​color blue>-o $IF_DSL</​color>​ <color red>-j MASQUERADE</​color>​ <color grey>#​%%------------%% Source-NAT all Packet leaving on Interface $IF_DSL to the IP address of the router on that Interface</​color>''​ | | ''​**iptables** <color LightSeaGreen>​-t nat</​color>​ <color magenta>​-A</​color>​ <color green>​POSTROUTING</​color>''​|''<​color blue>-o $IF_DSL</​color>​ <color red>-j MASQUERADE</​color>​ <color grey>#​%%------------%% Source-NAT all Packet leaving on Interface $IF_DSL to the IP address of the router on that Interface</​color>''​ |
Line 40: Line 42:
 | ''​**iptables** <color LightSeaGreen>​-t mangle</​color>​ <color magenta>​-A</​color>​ <color green>​PREROUTING</​color>''​|''<​color blue>-i $IF_DSL -d 192.168.0.0/​16</​color>​ <color red>-j TEE %%-%%-gateway 192.168.1.254</​color>​ <color grey>#​%%-------%% forward a copy to gateway-IP</​color>''​ | | ''​**iptables** <color LightSeaGreen>​-t mangle</​color>​ <color magenta>​-A</​color>​ <color green>​PREROUTING</​color>''​|''<​color blue>-i $IF_DSL -d 192.168.0.0/​16</​color>​ <color red>-j TEE %%-%%-gateway 192.168.1.254</​color>​ <color grey>#​%%-------%% forward a copy to gateway-IP</​color>''​ |
 | ''​**iptables** <color LightSeaGreen>​-t mangle</​color>​ <color magenta>​-A</​color>​ <color green>​PREROUTING</​color>''​|''<​color blue>-m connbytes %%-%%-connbytes 504857: %%-%%-connbytes-dir both %%-%%-connbytes-mode bytes</​color>​ <color red>-j CLASSIFY %%-%%-set-class 1:​303</​color>​ <color grey>#​%%----%% count the Bytes of one connection</​color>''​ | | ''​**iptables** <color LightSeaGreen>​-t mangle</​color>​ <color magenta>​-A</​color>​ <color green>​PREROUTING</​color>''​|''<​color blue>-m connbytes %%-%%-connbytes 504857: %%-%%-connbytes-dir both %%-%%-connbytes-mode bytes</​color>​ <color red>-j CLASSIFY %%-%%-set-class 1:​303</​color>​ <color grey>#​%%----%% count the Bytes of one connection</​color>''​ |
-| ''​**iptables** <color LightSeaGreen>​-t raw</​color>​ <color magenta>​-A</​color>​ <color green>​INPUT</​color>''​|''<​color blue>! -i $IF_DSL </​color>​ <color red>​-j ​NOTRACK</​color>​ <color grey>#​%%--------------%% don't track anything NOT incoming on interface in variable $IF_DSL</​color>''​ | +| ''​**iptables** <color LightSeaGreen>​-t raw</​color>​ <color magenta>​-A</​color>​ <color green>​INPUT</​color>''​|''<​color blue>! -i $IF_DSL </​color>​ <color red>​-j ​CT %%--%%notrack</​color>​ <color grey>#​%%--------------%% don't track anything NOT incoming on interface in variable $IF_DSL</​color>''​ | 
-| ''​**iptables** <color LightSeaGreen>​-t raw</​color>​ <color magenta>​-A</​color>​ <color green>​INPUT</​color>''​|''<​color blue>-i $IF_LAN -s $NET_LAN -p tcp %%-%%-dport 32777:​32780</​color>​ <color red>​-j ​NOTRACK</​color>​ <color grey>#​%%------%% don't track NFS</​color>''​ |+| ''​**iptables** <color LightSeaGreen>​-t raw</​color>​ <color magenta>​-A</​color>​ <color green>​INPUT</​color>''​|''<​color blue>-i $IF_LAN -s $NET_LAN -p tcp %%--%%dport 32777:​32780</​color>​ <color red>​-j ​CT %%--%%notrack</​color>​ <color grey>#​%%------%% don't track NFS</​color>''​ |
  
 <color LightSeaGreen>​Table:​ -t filter -t nat -t mangle -t raw</​color>​ <color LightSeaGreen>​Table:​ -t filter -t nat -t mangle -t raw</​color>​
Line 49: Line 51:
 <color green>''​Builtin Chains''​ and ''​user defined chains'':​ INPUT OUTPUT FORWARD PREROUTING POSTROUTING user_defined_CHAIN_1</​color>​ <color green>''​Builtin Chains''​ and ''​user defined chains'':​ INPUT OUTPUT FORWARD PREROUTING POSTROUTING user_defined_CHAIN_1</​color>​
  
-<color red>​TARGET:​ ACCEPT DROP QUEUE RETURN BALANCE CLASSIFY CLUSTERIP CONNMARK CONNSECMARK CONNTRACK DNAT DSCP ECN IPMARK IPV4OPSSTRIP LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE ​NOTRACK ​REDIRECT REJECT ROUTE SAME SECMARK SET SNAT TARPIT TCPMSS TOS TRACE TTL ULOG XOR</​color>​+<color red>​TARGET:​ ACCEPT DROP QUEUE RETURN BALANCE CLASSIFY CLUSTERIP CONNMARK CONNSECMARK CONNTRACK DNAT DSCP ECN IPMARK IPV4OPSSTRIP LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE ​CT REDIRECT REJECT ROUTE SAME SECMARK SET SNAT TARPIT TCPMSS TOS TRACE TTL ULOG XOR</​color>​
  
 Dependent on the kind of TARGET you need further parameters: <color red>-j MARK %%-%%-set-mark 102\\ Dependent on the kind of TARGET you need further parameters: <color red>-j MARK %%-%%-set-mark 102\\
Line 77: Line 79:
 ===== Examples ===== ===== Examples =====
 You find some example shell scripts below: You find some example shell scripts below:
- 
   * [[doc:​howto:​netfilter:​netfilter.iptables.example1]] very simple script for setting up NAT (IPv4 only, IPv6 has no NAT)   * [[doc:​howto:​netfilter:​netfilter.iptables.example1]] very simple script for setting up NAT (IPv4 only, IPv6 has no NAT)
   * [[doc:​howto:​netfilter:​netfilter.iptables.example2]] simple script with filters (such an implementation is usually called a //​firewall//​)   * [[doc:​howto:​netfilter:​netfilter.iptables.example2]] simple script with filters (such an implementation is usually called a //​firewall//​)
Line 115: Line 116:
  
   * http://​ebtables.sourceforge.net/​br_fw_ia/​br_fw_ia.html   * http://​ebtables.sourceforge.net/​br_fw_ia/​br_fw_ia.html
- 
  
 === arptables === === arptables ===
Line 128: Line 128:
 | kmod-ipt-ipset ​      ​| ​ 3.3.8+6.11-2 ​ |  82830 | IPset netfilter modules ​ | | kmod-ipt-ipset ​      ​| ​ 3.3.8+6.11-2 ​ |  82830 | IPset netfilter modules ​ |
  
 +===== nftables =====
 +Please see **[[doc/​howto/​nftables]]**.
 ==== Modules for match/​TARGET ==== ==== Modules for match/​TARGET ====
 To quickly obtain a current overview type: ''​opkg list iptables-mod-*''​. Install the user space module, kernel modules are listed as dependencies and will be installed as well. To quickly obtain a current overview type: ''​opkg list iptables-mod-*''​. Install the user space module, kernel modules are listed as dependencies and will be installed as well.
Line 144: Line 146:
 | iptables-mod-hashlimit ​       |   ​| ​  5554 | iptables extensions for hashlimit matching Includes: - libipt_hashlimit ​ | | iptables-mod-hashlimit ​       |   ​| ​  5554 | iptables extensions for hashlimit matching Includes: - libipt_hashlimit ​ |
 | iptables-mod-imq ​             |   ​| ​  2220 | iptables extension for IMQ support. Includes: - libipt_IMQ, use it's successor => ''​[[http://​www.linuxfoundation.org/​collaborate/​workgroups/​networking/​ifb|kmod-ifb]]''​ | | iptables-mod-imq ​             |   ​| ​  2220 | iptables extension for IMQ support. Includes: - libipt_IMQ, use it's successor => ''​[[http://​www.linuxfoundation.org/​collaborate/​workgroups/​networking/​ifb|kmod-ifb]]''​ |
-| iptables-mod-ipopt ​           |   ​| ​ 22438 | iptables extensions for matching/​changing IP packet options. Includes: - libipt_CLASSIFY - libipt_dscp/​DSCP - libipt_ecn/​ECN - libipt_length - libipt_mac - libipt_mark/​MARK - libipt_statistic - libipt_tcpmms ​- libipt_tos/​TOS - libipt_ttl/​TTL - libipt_unclean ​ |+| iptables-mod-ipopt ​           |   ​| ​ 22438 | iptables extensions for matching/​changing IP packet options. Includes: - libipt_CLASSIFY - libipt_dscp/​DSCP - libipt_ecn/​ECN - libipt_length - libipt_mac - libipt_mark/​MARK - libipt_statistic - libipt_tcpmss ​- libipt_tos/​TOS - libipt_ttl/​TTL - libipt_unclean ​ |
 | iptables-mod-ipp2p ​           |   ​| ​  3315 | IPP2P iptables extension ​ | | iptables-mod-ipp2p ​           |   ​| ​  3315 | IPP2P iptables extension ​ |
 | iptables-mod-iprange ​         |   ​| ​  3627 | iptables extensions for matching ip ranges. Includes: - libipt_iprange ​ | | iptables-mod-iprange ​         |   ​| ​  3627 | iptables extensions for matching ip ranges. Includes: - libipt_iprange ​ |
Line 198: Line 200:
   * [[http://​www.linuxhomenetworking.com/​wiki/​index.php/​Quick_HOWTO_:​_Ch14_:​_Linux_Firewalls_Using_iptables#​Figure_14-1_Iptables_Packet_Flow_Diagram|LHN Fig.14]]   * [[http://​www.linuxhomenetworking.com/​wiki/​index.php/​Quick_HOWTO_:​_Ch14_:​_Linux_Firewalls_Using_iptables#​Figure_14-1_Iptables_Packet_Flow_Diagram|LHN Fig.14]]
   * [[http://​www.rigacci.org/​wiki/​lib/​exe/​fetch.php/​doc/​appunti/​linux/​sa/​iptables/​conntrack.html|on conntrack]]   * [[http://​www.rigacci.org/​wiki/​lib/​exe/​fetch.php/​doc/​appunti/​linux/​sa/​iptables/​conntrack.html|on conntrack]]
 +  * [[http://​ipset.netfilter.org/​iptables-extensions.man.html|List of available extensions to netfilter/​iptables]]
doc/howto/netfilter.1373538379.txt.bz2 · Last modified: 2013/07/11 12:26 by lorema