IPTables, Chains & Rules

The focus of the discussion is on the IPTables concepts of tables, chains and rules and how they can be applied to make a computer running Linux into firewall. This article does not discuss the IPTables hieroglyphics needed to construct a firewall. The article overlays an IPTable flow diagram over a physical network and uses the drawing as a frame of reference to introduce IPTables concepts using a non-technical approach. In management terms this presentation is dummied down.

To introduce the reader to the fascinating and sometimes complex world of Netfilter, IPTables we need a focal point. As a network person, I find comfort in the physical world of computer networks and not the virtual world of programming. As an anchor for this discussion a multi-homed PII 233MHZ MMX, 130Meg RAM GA-586TX2 Gigabyte motherboard with two D-Link 538TX fast Ethernet Adapters will be the platform.

Sorry about that. I do remember saying something about dummying down the information. Let's try that line again. As an anchor for this discussion will be using a personal computer with two network interface cards (NIC). One NIC is connected to a hub (not shown) for access to the home network and the other NIC is connected to an ADSL modem for access to the Internet network. Figure 1 shows the setup.

Here is a short introduction to IPTables as paraphrased from the supporting website www.netfilter.org . Netfilter and IPTables is the framework inside the 2.4.x kernel that enables packet filtering, network address translation (NAT) and other packet mangling.

Hummm.... Let's me expand a little on some of the information contained in the above statement.

• Packets are the protocol data units (PDU's) found at the network layer of the OSI model. This term leads to some confusion when it is used to describe PDU's that travel on the media (wire) or physical layer. PDU's that travel on the wire are called frames. Packets are carried inside frames. A simple explanation can be found at www.linuxjournal.com/article.php?sid=6446. By knowing the construction of a packet it is possible to examine it contents and use rules to make selection based on packet content.
  

• Network address translation (NAT) is a standard that enables a network to use one set of IP addresses for moving data packets on the local area network and a second set of IP addresses for external traffic the Internet. The firewall in Figure 1 acts as the address translation device between addresses on the home side of the network and addresses on the internet side of the network. NAT enables the user to shield address on the internal network from address on the Internet network.

• Mangling enables a kernel to modify contents of specific packet header fields.

• Netfilter is a set of hooks inside the kernel's network stack that allows the kernel modules to register callback functions called every time a packet passes a hook. IPTables is a table structure for the definition of rule sets that uses the kernel hooks to test packets before they can pass to a specific network.

To understand IPTables one needs to have an IPTables lexicon. IPTables has three building blocks shown in Figure 2; tables, chains and rules. A rule is an operation to be performed on a packet. A chain is a collection of rules. A table is a collection of chains. The Ukrainian community has a traditional toy called a bubba doll. One wooden doll is encapsulated in another wooded doll inside another wooded doll. This analogy can be used to physically see IPTables format.

IPTables has three tables; filter, nat and mangle. Inside these three tables are eight main system chains. The filter table has chains; input, forward and output. The nat table has chains prerouting and postrouting. The mangled table includes chain prerouting, input and output. There is one more chain outside the three main tables called the user chain.

Figure 3 is a graphical representation of how a packet would flow through IPTables superimposed over the physical network discussed at the beginning of the article. The administrator of the firewall has the ability to apply all, some or none of the IPTables structures to each interface on the computer. IPTables functionality is what turns the computer into the desired firewall.

As a packet enters the firewall through interface eth0 the first chain is the mangle table, prerouting chain (mangle/prerouting). If you recall, mangling enables a kernel to modify contents of specific packet header fields. Rules in this chain support the operation.

From mangle/prerouting the packet enters nat/prerouting. Recall nat is used to do IP address translation from one network to another. The rules in this change modify the destination IP address or destination port.

Route is not a table, chain or rule that was omitted in the pervious discussion. The route path checks the destination IP address of the packets and routes them to the filter/input if the address matches the firewall host or to the filter/forward for all others.

Filter/input examines all packets that are going into the firewall. It contains rules that determine if a packet is accepted or blocked. Simple terms it is a packet-filter.

Some process on the firewall may be using the interfaces to communicate with devices or services on other networks. An example the computer acting as the firewall may also runs the network time protocol service. This service doesn't need user input to operate. It does need a communication path to a common time source.

Mangle/output performs a function similar to mangled/prerouting. At this point only packets generated by the firewall itself would pass mangle/output.

Filter/output handles packets that are outbound from the firewall host. It contains rules that determine if a packet is accepted or blocked. Simple terms it is a packet-filter.

Backing up the path, filter/forward is examining the packets that are forwarded from the ext network to the lan network. It main function, look at a packet characteristics and determine if it should be blocked or accepted.

Nat/postrouting the final point in the path for packets. Nat/postrouting contains rules that modify the source IP address or source ports of a packet that pass.

To assist the reader lets take this list of tables and simplify it.

  Mangle/prerouting:		Rarely used
  Nat/prerouting called:		Prerouting
  Filter/forward called:		Forward
  Nat/postrouting called:		Postrouting
  Filter/input called:		Input
  Mangle/input:			Rarely used
  Mangle/output:			Rarely used
  Filter/output:			Output
  

One chain not shown in the drawing is the user chain. User chains are associated with any of the tables. Packets are moved to a user chains by first passing a systems chain that carries out a "j" action on the packet to the user chain. I tend to call the "j" action a jump because you jump to a user chain after passing the rule.

Praxis has been my yellow brick road to uncovering the mysteries of IPTables. Like Dorothy in the Wizard of Oz, I had the assistance of three resources on my journey; Red Hat Linux Firewalls Bill McCarty, Linux Firewalls Robert L. Ziegler and a cull of articles from the Internet. My next trip to the computer bookstore will afford me the chance to examine Ziegler's second release of Linux Firewalls. His first book focused on IPChains, one of the predecessors to IPTables. From the reviews I understand his second book is the IPTables guide.

As a patch of gray weed, indicative of 40year plus years, entrenches itself into the center of my head, undaunted by the applications of hair-colouring herbicide, I reflect on how the last five years has afforded me sufficient knowledge to pen this interpretation of IPTables. "Complete with drawings" as my associates would say. The knowledge gained so far is a much-needed foundation that can be used to examine the command hieroglyphics and create a firewall using IPTables.

Sean D. Conway CET

Talkback Area