netfilter Operation: Part One

netfilter operationBefore covering some of the specific commands used to configure the Linux firewall, I will cover some basic Linux firewall vocabulary and some of the basics of netfilter operation. netfilter contains the firewall logic, and iptables is the program that is used to modify the rules that the firewall uses. These rules (or ACLs) define the rules used to permit or deny packets and how to react to denied packets. The current iptables use both tables and chains. Tables are the blocks of processing where various actions are performed on the packets. Different tables process different chains. Chains are a set of rules (or ACLs). There are four built-in tables that help define netfilter operation: nat, mangle, filter and raw, each of which processes different chains.

netfilter Operation: Tables and Chains

The following tables and chains are not listed in any particular order, as a given packet may be impacted by multiple tables and chains as it is processed. The primary built-in chains are INPUT, OUTPUT, and FORWARD. In addition to these, you can create your own user-defined chains to customize netfilter operation.


  • Nat Table: In netfilter operation, this table is referenced with a packet that is used to create a new connection.
    • PREROUTING: This chain is processed as soon as a packet is received and before any routing decisions are made.
    • POSTROUTING: This chain is processed before a packet is sent to an interface but after any routing decisions have been made.
    • OUTPUT: This chain is processed for packets generated locally.
  • Filter Table: This is the default table that is used when the iptables command is used to modify the rules and do not specify an alternate table. This is where the bulk of a firewall’s processing is consumed.
    • INPUT: This chain is processed for packets destined for the local system.
    • FORWARD: This chain is processed for processed for packets passing through the local system.
    • OUTPUT: This chain is processed for packets generated by local system.
  • Mangle Table: This table is used for any specialized packet alterations that are needed. Examples are performing Network Address Translation (NAT) or manipulating various bits within the packet.
    • PREROUTING: This chain is processed on incoming packets before a routing decision is made.
    • POSTROUTING: This chain is processed last before a packet is sent to an interface.
    • OUTPUT: This chain is processed before a routing decision is made for packets generated locally.
    • INPUT: This chain is processed for packets destined for the local system.
    • FORWARD: This chain is processed for packets passing through the local system.
  • Raw Table: This table is primarily used for packets that are exempt from connection tracking, and if required, are called before any other netfilter table.
    • PREROUTING: This chain is processed as soon as a packet is received.
    • OUTPUT: This chain is processed for packets generated locally.


Now that we have reviewed all the various tables and chains, we can continue our look at netfilter operation by discussing the overall packet flow, which we will do in the next article.

External Links:

Netfilter Overview at www.shorewall.net

How the netfilter System Works at www.mad-hacking.net

Be Sociable, Share!

Speak Your Mind

*

© 2013 David Zientara. All rights reserved. Privacy Policy