Month: March 2012

Working of Netfilter/Iptables system

Posted on Updated on

The Linux consists of netfilter/iptables packet filtering system embedded with its kernel usually used for firewall purpose. Even though it is known as netfilter/iptables framework it is composed of two components. One component is kernel space known as netfilter which is the core element and the other component is user space known as iptables. It is a tool which makes easy way to add, edit and delete rules in the tables built inside the core.

As discussed earlier the user space that is the iptables helps to customize the rules saved in the kernel space that is netfilter. The rules have targets that commands the kernel what to be done with the packets arriving from certain sources or travelling to certain destinations. The targets are  as follows:

  • ACCEPT: when a packet matches the rule with ACCEPT target is allowed to go anywhere destined inside the firewall network.
  • DROP: when a packet matches the rule with DROP target are blocked by the firewall.
  • REJECT: it is similar to DROP target except it will not kill the packet as DROP does, instead it will send an error message to the packet sender.

Iptables have four different types of tables, they are:

Filter table: Filter is the default table used. It is primarily used for packet filtering purpose. Filter table consists of chains which are basically an ordered sequence of rules. When a packet arrives the iptables verifies with the first rule in the chain. If it matches the rule then the iptables performs the operation described by the target. If the iptables finds that the rule doesn‟t match then it checks with the next rule in the chain . If the packet doesn‟t match any rule then the kernel consults the policy. The filter table is composed of mainly three chains,

  • INPUT chain: The INPUT chain deals with the incoming packets. The INPUT chain functions as follows, if the packet is coming from an external source and is addressed for the system where the packet filtering firewall is present, the kernel first passes to the INPUT chain of the kernel space i.e. netfilter
  • OUTPUT chain: The OUTPUT chain deals with the outgoing packets. It functions as follows, if the packet is emerging within the system and is addressed for another outside system again the kernel passes the packet to the OUTPUT chain of the kernel space.
  • FORWARD chain: The FORWARD chain deals with packets that are coming from an outside system and are destined for the outside system usually when used in gateway system.

Nat table: NAT stands for Network Address Translation. It is technique to avoid the IP wastage by reusing the IP address. It is usually done by assigning a public IP address to a computer or a group of computers inside the private network. The Nat table is also composed of three built in chains like filter table

  • PREROUTING chain: In this chain the address translation of the packet occurs before routing.
  • OUTPUT chain: In this chain the packets that are generated locally inside the network are modified.
  • POSTROUTING chain: In this chain the address translation of the packet occurs after the routing process

Mangle table: It is the less commonly used table and are used for special purpose processing of packets. Mangle table is not used for any kind of packet filtering. It is composed of the following chains

  • PREROUTING chain
  • OUTPUT chain
  • FORWARD chain
  • INPUT chain

Raw table: The untracked connections are handled by the raw table . It‟s also not a commonly used table. Raw tables are composed of the following chains

  • PREROUTING chain
  • OUTPUT chain