when a packet goes through Linux IPTABLES firewall, it goes through various in-built chains and tables. These chains and tables together determine the fate of packet. This article does not tell what will happen to the packet, but will tell how a packet journey goes when it enters IPTABLES. in-short a packet workflow is described.
There are various article that explain these workflow very well. This article will just describe a pattern that would be easy to apply when dealing with IPTABLES.
At this point a diagram worth mentioning is https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
IPTABLES has defined following TABLES.
1) raw 2) mangle 3) nat 4) filter
Each table has following in-built CHAINS defined in them.
1) raw => PREROUTING, OUTPUT 2) mangle => PREROUTING, OUTPUT, INPUT, FORWARD, POSTROUTING 3) nat => PREROUTING, OUTPUT, POSTROUTING 4) filter => INPUT, FORWARD, OUTPUT
Three possible scenarios:
a) If a packet is coming from outside and destined for localhost then it will go through following chains: 1) PREROUTING 2) INPUT b) if a packet is originating from localhost and destined to go out then it will go through following chains: 1) OUTPUT 2) POSTROUTING c) if a packet is coming from outside and is destined for some other machine then packet will go through following chains: 1) PREROUTING 2) FORWARD 3) POSTROUTING
Note: CHAINS and TABLES written above are in order.
Now what is the pattern I am talking about:
Take first scenario (packet coming from outside and destined for localhost):
Kernel goes through each TABLE in order (written above) and it applies PREROUTING chain if found in that TABLE onto packet.
Kernel does same above scan of each table while applying INPUT chain to packet.
For each chain i.e [PREROUTING, INPUT]: (in order left to right)
kernel looks for the chain in each table i.e [raw, mangle, nat, filter]: (in order left to right)
and if chain is found in the table:
then it applies the chain to packet
else does nothing.
That means: For this scenario, kernel
1) first scans raw TABLE and finds PREROUTING chain here and applies it onto packet.
2) then it scans mangle TABLE and finds PREROUTING chain there and applies it to packet.
3) then it scans nat TABLE and finds PREROUTING chain there and applies it to packet.
4) then it scans filter TABLE but does not find PREROUTING chain here and does nothing to packet.
5) same above steps (1 - 4 ) are repeated for INPUT chain.
6) then kernel scans raw TABLE but does not find INPUT chain, so nothing happens here.
7) then kernel scans mangle TABLE and finds INPUT chain here and applies it to packet.
8) then kernel scans nat TABLE and does not find INPUT chain, so nothing happens here.
9) then kernel scans filter TABLE and finds INPUT chain here and applies it to packet.
For second scenario (packet originating from localhost and destined to go out):
For each chain i.e [OUTPUT, POSTROUTING]: (in order left to right)
kernel looks for the chain in each table i.e [raw, mangle, nat, filter]: (in order left to right)
and if chain is found in the table:
then it applies the chain to packet
else does nothing.
For third scenario (packet coming from outside and destined for some other machine):
For each chain i.e [PREROUTING, FORWARD, POSTROUTING]: (in order left to right)
kernel looks for the chain in each table i.e [raw, mangle, nat, filter]: (in order left to right)
and if chain is found in the table:
then it applies the chain to packet
else does nothing.
Above pattern can be corroborated with diagram above. You have to look only into network layer in that diagram.
No comments:
Post a Comment