How NetFilter Works

NetFilter, or more commonly known by the name of the manipulation utility, iptables, works, on the surface, similarly to the ipchains firewall code of earlier Linux kernels
Nội dung trích xuất từ tài liệu:
How NetFilter WorksHow NetFilter WorksNetFilter, or more commonly known by the name of the manipulation utility, iptables,works, on the surface, similarly to the ipchains firewall code of earlier Linux kernels. Thefirst thing you need to understand about NetFilter is the concept of tables, chains, andrules. Tables are used to provide certain types of functionality, which are defined in moredetail through this chapter. Chains define the path in which a packet can travel. Thechains are made up of rules, which define what action should be taken on packets thatmatch the rule. An easy way to think about it is that chains simply contain a list of therules, and tables contain the different types of chains.NetFilter has five builtin chains, which are grouped into the following three tables: • Filter • NAT • MangleThe filter table has three builtin chains that function in a similar fashion to the threeprimary chains of ipchains. The function of the chains in the filter table is to test thepayload of the packets (as well as other characteristics) and to accept or reject the packetsbased on the results of that evaluation. The three builtin chains found in the filter tableare as follows: • INPUT • FORWARD • OUTPUTThe INPUT chain evaluates packets that are destined for the firewall itself. The OUTPUTchain evaluates packets that originate from the firewall. The FORWARD chain evaluatespackets that are traversing the firewall from one network interface to another. One of thekey differences between the chains in NetFilter and ipchains is that in ipchains all packetsgoing from one network interface to another traverse all three of the main chains(INPUT, FORWARD, and OUTPUT). In NetFilter, however, they need only traverse theFORWARD chain because that one is the one involved in forwarding packets betweeninterfaces. Figures 7-1 through 7-3 show the chain traversal. Figure 7-1. NetFilter INPUT Chain Processing [View full size image]In Figure 7-1, the packet from the source host 192.168.45.10 is directed to the firewallitself. To reach the firewall, the packet must traverse the rules that are in the INPUTchain of the filter table.In Figure 7-2, the traffic from host 192.168.45.10 is directed to the server at 10.1.1.1.Typically, this also requires NAT to be present so that the server 10.1.1.1 has an externaladdress assigned to it, but this is beyond the scope of the current discussion. To reach thesystem 10.1.1.1, the traffic must traverse the rules in the FORWARD chain of the filtertable because the traffic is going from one interface to another on the firewall. Figure 7-2. NetFilter FORWARD Chain Processing [View full size image]In the final example of Figure 7-3, a process on the firewall is communicating with thehost 192.168.45.10. The traffic must traverse the rules in the OUTPUT chain of the filtertable on the firewall before reaching its destination. Typically, unless the firewall isfiltering traffic in both directions, the OUTPUT chain is empty and all traffic is allowedout from the firewall (which could be considered a security risk in certain environments). Figure 7-3. NetFilter OUTPUT Chain Processing [View full size image]One of the key features that NetFilter has over ipchains is that NetFilter is a statefulpacket filter. Instead of requiring a specific inbound rule for every outbound connection,the NetFilter code can identify return traffic that is related to previously seen outboundtraffic. This identification provides for a more efficient and secure firewall than ispossible with ipchains.The NAT table performs Network Address Translation (and Port Address Translation)functions on packets. This includes destination NAT (DNAT), source NAT (SNAT), andmasquerading. This table consists of three builtin chains: • PREROUTING • POSTROUTING • OUTPUTThe PREROUTING chain processes packets before the local routing table is consulted,and is used primarily for destination NAT. Destination NAT is where the destinationaddress of the IP packets is modified as they traverse the NAT device. DNAT can beused to accomplish the following capabilities: • Port forwarding • Load balancing • Transparent proxyingPort forwarding is where the firewall accepts packets for a destination host behind it andforwards the packet unchanged to the destination. Load balancing is where the firewallaccepts packets destined for an externally visible IP address but distributes theconnections across multiple servers behind it to ensure that no one server getsoverloaded. Load balancing proves particularly useful in a web farm situation wheremultiple web servers serve identical content;to ensure consistent performance or highavailability, the firewall directs connections to the various servers based on their currentconnection load. Although this is not the only way that you can accomplish loadbalancing, it is one of the more popular ways. Finally, transparent proxying is similar toport forwarding, but instead of allowing the connection from the client to the server to gounaltered, the firewall intercepts the connection. Although the client believes that it iscommunicating with the destination server, it is actually communicating with a firewallthat is inspecting and potentially altering the packets before redirecting them to thedestination system. Although the NetFilter code does not perform the proxying itself, thiscapability is possible using the Squid proxying software package.Because the DNAT occurs in the PREROUTING chain of the NAT table, the INPUT andFORWARD chains in the filter table see the real address of the destination system.The POSTROUTING chain processes packets after the routing decisi ...