User Tools

Site Tools


doc:howto:netfilter

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:netfilter [2013/07/11 12:26]
lorema
doc:howto:netfilter [2014/08/23 09:29] (current)
hamy tcpmms to tcpmss
Line 1: Line 1:
-====== Netfilter ====== +====== Netfilter/​Nftables ​====== 
-[[http://​www.netfilter.org/​|Netfilter]] is the packet filtering framework inside the Linux kernel. It allows for packet filtering, network address [and port] translation (NA[P]T) and other packet manipulations. It is far more than a simple firewall and very powerful!+[[http://​www.netfilter.org/​|Netfilter]] is the packet filtering framework inside the [[wp>Linux kernel]]. It allows for packet filtering, network address [and port] translation (NA[P]T) and other packet manipulations. It is far more than a simple firewall and very powerful! ​For Nftables, see [[#​Nftables]] further down this wikipage.
  
 Usually the user space programs <color red>​**''​iptables''​**</​color>,​ <color red>​**''​ip6tables''​**</​color>,​ <color red>​**''​ebtables''​**</​color>​ or <color red>​**''​arptables''​**</​color>​ are utilized to //​configure//​ the handling of network packets. Please see this scheme **[[http://​upload.wikimedia.org/​wikipedia/​commons/​d/​dd/​Netfilter-components.svg|Netfilter Components]]** by Jan Engelhardt about some overview over current and future netfilter components. Usually the user space programs <color red>​**''​iptables''​**</​color>,​ <color red>​**''​ip6tables''​**</​color>,​ <color red>​**''​ebtables''​**</​color>​ or <color red>​**''​arptables''​**</​color>​ are utilized to //​configure//​ the handling of network packets. Please see this scheme **[[http://​upload.wikimedia.org/​wikipedia/​commons/​d/​dd/​Netfilter-components.svg|Netfilter Components]]** by Jan Engelhardt about some overview over current and future netfilter components.
  
-| {{:​meta:​icons:​tango:​dialog-information.png?​nolink}} | **//''​Note1'':​//** In OpenWrt bridge firewalling is disabled by default. It can be enabled by editing ''/​etc/​sysctl.conf'':​ <code bash>​net.bridge.bridge-nf-call-arptables=0+| {{:​meta:​icons:​tango:​dialog-information.png?​nolink}} | **''​Note1'':​** In OpenWrt bridge firewalling is disabled by default. It can be enabled by editing ''/​etc/​sysctl.conf'':​ <code bash>​net.bridge.bridge-nf-call-arptables=0
 net.bridge.bridge-nf-call-ip6tables=0 net.bridge.bridge-nf-call-ip6tables=0
-net.bridge.bridge-nf-call-iptables=1</​code>​ and then reloading the configuration with <code bash>​sysctl -p</​code>​This is required by the netfilter module "​physdev"​ and also by ebtables ​ |+net.bridge.bridge-nf-call-iptables=1</​code>​ and then reloading the configuration with <code bash>​sysctl -p</​code>​ This is required by the netfilter module "​physdev"​ and also by ebtables ​ |
  
 ===== Installation ===== ===== Installation =====
Line 23: Line 23:
 root@openwrt:​~#​ iptables -A FORWARD -j REJECT -p udp --dport 135:139 #​------------- Block outgoing Windows Share root@openwrt:​~#​ iptables -A FORWARD -j REJECT -p udp --dport 135:139 #​------------- Block outgoing Windows Share
 </​code>​ | </​code>​ |
 +
 +| {{:​meta:​icons:​tango:​dialog-information.png?​nolink}} | **''​Note:''​** All rules can contain a [[wp>​Fully qualified domain name|FQDN (Fully qualified domain name)]] instead of an IP addresses. But the FQDN will be resolved to IP addresses when the rule is executed and rules will be created using these IP addresses! Thus, if there is a DNS update, the IP addresses resolved at execution time may not longer match the FQDN.\\ However such a functionality could be realized with ''​ipset''​ and ''​[[doc:​uci:​ipset-dns]]''​. |
  
 Per invocation you can set up only one //rule//; this will be checked for mistakes and if none are found, the hook will be written to RAM and is active immediately. An iptables/​ip6tables command is composed of two parts: parts one always commits the <color LightSeaGreen>​table</​color>,​ a <color magenta>​command</​color>,​ and the <color green>​chain</​color>​ this particular rule belongs to; part two specifies the <color blue>​match</​color>​ and the <color red>​TARGET</​color>​. There is always exactly one TARGET, but multiple matches are possible. Per invocation you can set up only one //rule//; this will be checked for mistakes and if none are found, the hook will be written to RAM and is active immediately. An iptables/​ip6tables command is composed of two parts: parts one always commits the <color LightSeaGreen>​table</​color>,​ a <color magenta>​command</​color>,​ and the <color green>​chain</​color>​ this particular rule belongs to; part two specifies the <color blue>​match</​color>​ and the <color red>​TARGET</​color>​. There is always exactly one TARGET, but multiple matches are possible.
Line 30: Line 32:
 | ''​**iptables** <color LightSeaGreen>​-t filter</​color>​ <color magenta>​-A</​color>​ <color green>​FORWARD</​color>''​|''<​color red>-j REJECT</​color>​ <color blue>-p udp %%-%%-dport 135:​139</​color>​ <color grey>#​%%----------------%% Block outgoing NetBIOS (Windows Share) </​color>''​ | | ''​**iptables** <color LightSeaGreen>​-t filter</​color>​ <color magenta>​-A</​color>​ <color green>​FORWARD</​color>''​|''<​color red>-j REJECT</​color>​ <color blue>-p udp %%-%%-dport 135:​139</​color>​ <color grey>#​%%----------------%% Block outgoing NetBIOS (Windows Share) </​color>''​ |
 | ''​**iptables** <color LightSeaGreen>​-t filter</​color>​ <color magenta>​-A</​color>​ <color green>​FORWARD</​color>''​|''<​color blue>-p tcp %%-%%-dport 22 -m physdev %%-%%-physdev-in wlan0 %%-%%-physdev-out eth0.3 </​color>​ <color red>-j LOG %%-%%-log-prefix "22 on wlan"</​color>​ <color grey>#​%%----%% log wlan-clients attempts on ssh</​color>''​ | | ''​**iptables** <color LightSeaGreen>​-t filter</​color>​ <color magenta>​-A</​color>​ <color green>​FORWARD</​color>''​|''<​color blue>-p tcp %%-%%-dport 22 -m physdev %%-%%-physdev-in wlan0 %%-%%-physdev-out eth0.3 </​color>​ <color red>-j LOG %%-%%-log-prefix "22 on wlan"</​color>​ <color grey>#​%%----%% log wlan-clients attempts on ssh</​color>''​ |
-| ''​**iptables** <color LightSeaGreen>​-t nat</​color>​ <color magenta>​-A</​color>​ <color green>​PREROUTING</​color>''​|''<​color blue>-i $LAN -p tcp %%-%%-dport 53</​color>​ <color red>​-j ​DNAT %%-%%-to-destination 127.0.0.1:53</​color>​ <color grey>#-%%-%%redirect DNS queries to self on TCP </​color>''​ | +| ''​**iptables** <color LightSeaGreen>​-t nat</​color>​ <color magenta>​-A</​color>​ <color green>​PREROUTING</​color>''​|''<​color blue>-i $LAN -p tcp %%-%%-dport 53</​color>​ <color red>​-j ​REDIRECT ​%%--%%to-port 53</​color>​ <color grey>#%%----------------%% redirect DNS queries to self on TCP </​color>''​ | 
-| ''​**iptables** <color LightSeaGreen>​-t nat</​color>​ <color magenta>​-A</​color>​ <color green>​PREROUTING</​color>''​|''<​color blue>-i $LAN -p udp %%-%%-dport 53</​color>​ <color red>​-j ​DNAT %%-%%-to-destination 127.0.0.1:53</​color>​ <color grey>#-%%-%%redirect DNS queries to self on UDP</​color>''​ |+| ''​**iptables** <color LightSeaGreen>​-t nat</​color>​ <color magenta>​-A</​color>​ <color green>​PREROUTING</​color>''​|''<​color blue>-i $LAN -p udp %%-%%-dport 53</​color>​ <color red>​-j ​REDIRECT ​%%--%%to-port 53</​color>​ <color grey>#%%----------------%% redirect DNS queries to self on UDP</​color>''​ |
 | ''​**iptables** <color LightSeaGreen>​-t nat</​color>​ <color magenta>​-A</​color>​ <color green>​POSTROUTING</​color>''​|''<​color blue>-o eth0.2 ​ -d 169.254.1.0/​24</​color>​ <color red>-j SNAT %%-%%-to-source 169.254.1.1</​color>​ <color grey>#​%%------%% Source-NAT packets with specified destination to specified IP address</​color>''​ | | ''​**iptables** <color LightSeaGreen>​-t nat</​color>​ <color magenta>​-A</​color>​ <color green>​POSTROUTING</​color>''​|''<​color blue>-o eth0.2 ​ -d 169.254.1.0/​24</​color>​ <color red>-j SNAT %%-%%-to-source 169.254.1.1</​color>​ <color grey>#​%%------%% Source-NAT packets with specified destination to specified IP address</​color>''​ |
 | ''​**iptables** <color LightSeaGreen>​-t nat</​color>​ <color magenta>​-A</​color>​ <color green>​POSTROUTING</​color>''​|''<​color blue>-o $IF_DSL</​color>​ <color red>-j MASQUERADE</​color>​ <color grey>#​%%------------%% Source-NAT all Packet leaving on Interface $IF_DSL to the IP address of the router on that Interface</​color>''​ | | ''​**iptables** <color LightSeaGreen>​-t nat</​color>​ <color magenta>​-A</​color>​ <color green>​POSTROUTING</​color>''​|''<​color blue>-o $IF_DSL</​color>​ <color red>-j MASQUERADE</​color>​ <color grey>#​%%------------%% Source-NAT all Packet leaving on Interface $IF_DSL to the IP address of the router on that Interface</​color>''​ |
Line 40: Line 42:
 | ''​**iptables** <color LightSeaGreen>​-t mangle</​color>​ <color magenta>​-A</​color>​ <color green>​PREROUTING</​color>''​|''<​color blue>-i $IF_DSL -d 192.168.0.0/​16</​color>​ <color red>-j TEE %%-%%-gateway 192.168.1.254</​color>​ <color grey>#​%%-------%% forward a copy to gateway-IP</​color>''​ | | ''​**iptables** <color LightSeaGreen>​-t mangle</​color>​ <color magenta>​-A</​color>​ <color green>​PREROUTING</​color>''​|''<​color blue>-i $IF_DSL -d 192.168.0.0/​16</​color>​ <color red>-j TEE %%-%%-gateway 192.168.1.254</​color>​ <color grey>#​%%-------%% forward a copy to gateway-IP</​color>''​ |
 | ''​**iptables** <color LightSeaGreen>​-t mangle</​color>​ <color magenta>​-A</​color>​ <color green>​PREROUTING</​color>''​|''<​color blue>-m connbytes %%-%%-connbytes 504857: %%-%%-connbytes-dir both %%-%%-connbytes-mode bytes</​color>​ <color red>-j CLASSIFY %%-%%-set-class 1:​303</​color>​ <color grey>#​%%----%% count the Bytes of one connection</​color>''​ | | ''​**iptables** <color LightSeaGreen>​-t mangle</​color>​ <color magenta>​-A</​color>​ <color green>​PREROUTING</​color>''​|''<​color blue>-m connbytes %%-%%-connbytes 504857: %%-%%-connbytes-dir both %%-%%-connbytes-mode bytes</​color>​ <color red>-j CLASSIFY %%-%%-set-class 1:​303</​color>​ <color grey>#​%%----%% count the Bytes of one connection</​color>''​ |
-| ''​**iptables** <color LightSeaGreen>​-t raw</​color>​ <color magenta>​-A</​color>​ <color green>​INPUT</​color>''​|''<​color blue>! -i $IF_DSL </​color>​ <color red>​-j ​NOTRACK</​color>​ <color grey>#​%%--------------%% don't track anything NOT incoming on interface in variable $IF_DSL</​color>''​ | +| ''​**iptables** <color LightSeaGreen>​-t raw</​color>​ <color magenta>​-A</​color>​ <color green>​INPUT</​color>''​|''<​color blue>! -i $IF_DSL </​color>​ <color red>​-j ​CT %%--%%notrack</​color>​ <color grey>#​%%--------------%% don't track anything NOT incoming on interface in variable $IF_DSL</​color>''​ | 
-| ''​**iptables** <color LightSeaGreen>​-t raw</​color>​ <color magenta>​-A</​color>​ <color green>​INPUT</​color>''​|''<​color blue>-i $IF_LAN -s $NET_LAN -p tcp %%-%%-dport 32777:​32780</​color>​ <color red>​-j ​NOTRACK</​color>​ <color grey>#​%%------%% don't track NFS</​color>''​ |+| ''​**iptables** <color LightSeaGreen>​-t raw</​color>​ <color magenta>​-A</​color>​ <color green>​INPUT</​color>''​|''<​color blue>-i $IF_LAN -s $NET_LAN -p tcp %%--%%dport 32777:​32780</​color>​ <color red>​-j ​CT %%--%%notrack</​color>​ <color grey>#​%%------%% don't track NFS</​color>''​ |
  
 <color LightSeaGreen>​Table:​ -t filter -t nat -t mangle -t raw</​color>​ <color LightSeaGreen>​Table:​ -t filter -t nat -t mangle -t raw</​color>​
Line 49: Line 51:
 <color green>''​Builtin Chains''​ and ''​user defined chains'':​ INPUT OUTPUT FORWARD PREROUTING POSTROUTING user_defined_CHAIN_1</​color>​ <color green>''​Builtin Chains''​ and ''​user defined chains'':​ INPUT OUTPUT FORWARD PREROUTING POSTROUTING user_defined_CHAIN_1</​color>​
  
-<color red>​TARGET:​ ACCEPT DROP QUEUE RETURN BALANCE CLASSIFY CLUSTERIP CONNMARK CONNSECMARK CONNTRACK DNAT DSCP ECN IPMARK IPV4OPSSTRIP LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE ​NOTRACK ​REDIRECT REJECT ROUTE SAME SECMARK SET SNAT TARPIT TCPMSS TOS TRACE TTL ULOG XOR</​color>​+<color red>​TARGET:​ ACCEPT DROP QUEUE RETURN BALANCE CLASSIFY CLUSTERIP CONNMARK CONNSECMARK CONNTRACK DNAT DSCP ECN IPMARK IPV4OPSSTRIP LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE ​CT REDIRECT REJECT ROUTE SAME SECMARK SET SNAT TARPIT TCPMSS TOS TRACE TTL ULOG XOR</​color>​
  
 Dependent on the kind of TARGET you need further parameters: <color red>-j MARK %%-%%-set-mark 102\\ Dependent on the kind of TARGET you need further parameters: <color red>-j MARK %%-%%-set-mark 102\\
Line 77: Line 79:
 ===== Examples ===== ===== Examples =====
 You find some example shell scripts below: You find some example shell scripts below:
- 
   * [[doc:​howto:​netfilter:​netfilter.iptables.example1]] very simple script for setting up NAT (IPv4 only, IPv6 has no NAT)   * [[doc:​howto:​netfilter:​netfilter.iptables.example1]] very simple script for setting up NAT (IPv4 only, IPv6 has no NAT)
   * [[doc:​howto:​netfilter:​netfilter.iptables.example2]] simple script with filters (such an implementation is usually called a //​firewall//​)   * [[doc:​howto:​netfilter:​netfilter.iptables.example2]] simple script with filters (such an implementation is usually called a //​firewall//​)
Line 115: Line 116:
  
   * http://​ebtables.sourceforge.net/​br_fw_ia/​br_fw_ia.html   * http://​ebtables.sourceforge.net/​br_fw_ia/​br_fw_ia.html
- 
  
 === arptables === === arptables ===
Line 127: Line 127:
 | iptables-mod-ipset ​  ​| ​ 1.4.10-4 ​     |   5787 | IPset iptables extensions ​ | | iptables-mod-ipset ​  ​| ​ 1.4.10-4 ​     |   5787 | IPset iptables extensions ​ |
 | kmod-ipt-ipset ​      ​| ​ 3.3.8+6.11-2 ​ |  82830 | IPset netfilter modules ​ | | kmod-ipt-ipset ​      ​| ​ 3.3.8+6.11-2 ​ |  82830 | IPset netfilter modules ​ |
 +
 +===== nftables =====
 +[[wp>​nftables]] is the successor of netfilter. Its user space utility **''​nft''​** replaces the entire ''​{ip,​eb,​arp,​ip6}tables''​ user space tool set. It still uses the netfilter architecture for complex extensions and is part of the netfilter project.
 +The command-line user space utility is called **''​nft''​** and there is an API and library interface to it (''​libnftables''​). There is also an iptables to nft handle userspace conversion tool which will ease migration.
 +nftables is a major departure in that there is no need for deep protocol awareness in the kernel modules as everything filter related is handled by a basic virtual machine.
 +  * [[http://​netfilter.org/​projects/​nftables/​|nftables homepage]] + [[http://​article.gmane.org/​gmane.comp.security.firewalls.netfilter.devel/​44685|Announcement]]
 +  * [[https://​home.regit.org/​netfilter-en/​nftables-quick-howto/​|Nftables quick howto]]
 +    * The user space utility is called **''​nft''​**,​ its input resembles slightly that of **''​[[/​doc/​howto/​packet.scheduler/​packet.scheduler|tc]]''​**
 +  * https://​dev.openwrt.org/​ticket/​14415
 +
 +The OpenWrt developers are aware of the nftables developments,​ and will migrate as soon as OpenWrt adopts a 3.13 kernel. Linux kernel version 3.13 was released 2014-01-20, [[http://​lkml.indiana.edu/​hypermail/​linux/​kernel/​1311.0/​00914.html|Linux 3.12 released .. and no merge window yet .. and 4.0 plans?]].
 +
 +  * Anybody who wants to help in development,​ shall feel free to send patches:
 +    * for the OpenWrt operating system, see https://​dev.openwrt.org/​wiki/​SubmittingPatches
 +    * for the [[:​doc:​uci|UCI]] wrapper C-language firewall, see http://​nbd.name/​gitweb.cgi?​p=firewall3.git;​a=summary
 +  * The proper place for technical discussion on nftables migration is the the OpenWrt development mailing list: https://​lists.openwrt.org/​cgi-bin/​mailman/​listinfo/​openwrt-devel
 +  * The proper place for general discussions/​ideas is the OpenWrt Forum: https://​forum.openwrt.org/​
 +  * The proper place for documentation is either **this wiki page** or **[[doc/​howto/​nftables]]**.
 +    * The proper place for documentation of the C-language wrapper firewall is [[doc:​uci:​firewall]].
 +
  
 ==== Modules for match/​TARGET ==== ==== Modules for match/​TARGET ====
Line 144: Line 164:
 | iptables-mod-hashlimit ​       |   ​| ​  5554 | iptables extensions for hashlimit matching Includes: - libipt_hashlimit ​ | | iptables-mod-hashlimit ​       |   ​| ​  5554 | iptables extensions for hashlimit matching Includes: - libipt_hashlimit ​ |
 | iptables-mod-imq ​             |   ​| ​  2220 | iptables extension for IMQ support. Includes: - libipt_IMQ, use it's successor => ''​[[http://​www.linuxfoundation.org/​collaborate/​workgroups/​networking/​ifb|kmod-ifb]]''​ | | iptables-mod-imq ​             |   ​| ​  2220 | iptables extension for IMQ support. Includes: - libipt_IMQ, use it's successor => ''​[[http://​www.linuxfoundation.org/​collaborate/​workgroups/​networking/​ifb|kmod-ifb]]''​ |
-| iptables-mod-ipopt ​           |   ​| ​ 22438 | iptables extensions for matching/​changing IP packet options. Includes: - libipt_CLASSIFY - libipt_dscp/​DSCP - libipt_ecn/​ECN - libipt_length - libipt_mac - libipt_mark/​MARK - libipt_statistic - libipt_tcpmms ​- libipt_tos/​TOS - libipt_ttl/​TTL - libipt_unclean ​ |+| iptables-mod-ipopt ​           |   ​| ​ 22438 | iptables extensions for matching/​changing IP packet options. Includes: - libipt_CLASSIFY - libipt_dscp/​DSCP - libipt_ecn/​ECN - libipt_length - libipt_mac - libipt_mark/​MARK - libipt_statistic - libipt_tcpmss ​- libipt_tos/​TOS - libipt_ttl/​TTL - libipt_unclean ​ |
 | iptables-mod-ipp2p ​           |   ​| ​  3315 | IPP2P iptables extension ​ | | iptables-mod-ipp2p ​           |   ​| ​  3315 | IPP2P iptables extension ​ |
 | iptables-mod-iprange ​         |   ​| ​  3627 | iptables extensions for matching ip ranges. Includes: - libipt_iprange ​ | | iptables-mod-iprange ​         |   ​| ​  3627 | iptables extensions for matching ip ranges. Includes: - libipt_iprange ​ |
Line 198: Line 218:
   * [[http://​www.linuxhomenetworking.com/​wiki/​index.php/​Quick_HOWTO_:​_Ch14_:​_Linux_Firewalls_Using_iptables#​Figure_14-1_Iptables_Packet_Flow_Diagram|LHN Fig.14]]   * [[http://​www.linuxhomenetworking.com/​wiki/​index.php/​Quick_HOWTO_:​_Ch14_:​_Linux_Firewalls_Using_iptables#​Figure_14-1_Iptables_Packet_Flow_Diagram|LHN Fig.14]]
   * [[http://​www.rigacci.org/​wiki/​lib/​exe/​fetch.php/​doc/​appunti/​linux/​sa/​iptables/​conntrack.html|on conntrack]]   * [[http://​www.rigacci.org/​wiki/​lib/​exe/​fetch.php/​doc/​appunti/​linux/​sa/​iptables/​conntrack.html|on conntrack]]
 +  * [[http://​ipset.netfilter.org/​iptables-extensions.man.html|List of available extensions to netfilter/​iptables]]
doc/howto/netfilter.1373538379.txt.bz2 · Last modified: 2013/07/11 12:26 by lorema