More on Modules
This article continues the Netfilter series by looking at the various Netfilter modules and writing a few basic filter rules.
Previously, we looked at Netfilter and the built-ins within it, both chains and targets. Remember, there are only four built-in targets, ACCEPT, DROP, QUEUE, and RETURN. Everything else that we want to do with Netfilter, target-wise, has to be created first. Recall that a target is the action to be taken for any packet matching the rule. This target can tell Netfilter to traverse a user-created chain or perform any other action, as long as iptables knows what that action is. For iptables to understand an action that is not built-in, it must exist as a module that is loaded before the rule is created.
A few modules are confusing with regard to their purpose. But most modules are self-explanatory. Not all dependencies are noted here[md]only some of the more important ones:
ip_conntrack |
Permits connection tracking and packet defragmentation. |
ip_conntrack_ftp |
Permits active FTP; requires ip_conntrack. |
ip_nat_ftp |
Permits active FTP via nat; requires ip_conntrack, iptables_nat. |
ip_queue |
Allows queuing packets to user space. |
ip_tables |
Required; all ipv4 modules depend on this one. |
ipt_LOG |
LOG target. |
ipt_MARK |
MARK target. |
ipt_MASQUERADE |
MASQUERADE target. |
ipt_MIRROR |
MIRROR target. |
ipt_REDIRECT |
REDIRECT target. |
ipt_REJECT |
REJECT target. |
ipt_TOS |
TOS target. |
ipt_limit |
Allows log limits. |
ipt_mac |
Allows specifying MAC address. |
ipt_mark |
Allows using a mark to match in a packet. |
ipt_multiport |
Allows packet specifications on multiple ports. |
ipt_owner |
Permits user/group checking on OUTPUT packets. |
ipt_state |
Permits packet state checking (SYN, SYN-ACK, ACK, and so on). |
ipt_tos |
Permits TOS checking on a packet. |
ipt_unclean |
Performs sanity checks on packets. |
iptable_filter |
Implements the filter table. |
iptable_mangle |
Implements the mangle table. |
iptable_nat |
Implements the nat table. |
IPv6 |
|
ip6_tables |
Required; all ipv6 modules depend on this one. |
ip6t_MARK |
Permits use of MARK target. |
ip6t_limit |
Implements LOG limits. |
ip6t_mark |
Allows use of mark match. |
ip6table_filter |
Implements filter table. |
If you study the table, you will notice something: Targets' modules are in upper case, packet-matching modules are in lower case, and both start with either "ipt" or "ip6t." The four modules starting with "iptable" or "ip6table" implement tables. Those that start with "ip_" implement major features of iptables (such as iptables itself, in the case of ip_tables).
Do not count on the automatic loading of modules. In fact, you can deliberately not insert the ip_nat_ftp and ip_conntrack_ftp, and effectively deny use of active FTP connections (only passive FTP will work then).
How the Rules Work
The easiest way to think of the rules is in sections. Each rule has several sections[md]how many depends on exactly what you're doing, but you'll find it easier to start by breaking the rules down into fragments and assembling these fragments.
Each rule can be thought of as being comprised of four fragments. Not all fragments are necessary for all rules or all operations that can be performed with iptables, but you'll see that shortly. A typical rule will look like this:
iptables [-t <table>] COMMAND [MATCH [extended match]] [option <parameter>] [-j TARGET]
The iptables is a required component and is not counted as part of any fragment.
The -t <table> is an optional element. The default is the filter table. As you saw in the last article, specifying -t filter is the same as omitting it. However, if you make it a habit to always put this, you'll know exactly what you're dealing with.
The COMMAND parameter is mandatory. You absolutely must have a command. iptables has 11 single-letter, uppercase commands and one lowercase command. The one lowercase command is used alone, -h for help. These uppercase command letters also have a lowercase but complete word or phrase alternative. If you're interested in using the longer commands, refer to the iptables man page.
The commands can be any of -A (append), -D (delete), -R (replace), -I (insert), -L (list), -F (flush), -Z (zero), -N (new chain), -X (delete chain), -P (chain policy), and -E (rename). As a general rule, only one command is permitted per iptables invocation. The only exception is that you can use -F (flush) and -Z (zero) on a chain at the same time. But you cannot use -F (flush) and -X (delete) on a chain in the same invocation.
The command MATCH can be thought of as rule fragments. These can be simple fragments or extended fragments. A simple fragment might be something like -p tcp for protocol TCP. This would match all TCP packets. But you can have an extended match to this. Matching a TCP packet also allows you to specify only packets with a particular source port (--sport), only packets with a particular destination port (--dport), only packets with certain flags set (--tcp-flags mask match), only SYN packets (--syn), or only packets with certain TCP options set (--tcp-option <number>). Don't worry that some of these matches are foreign to you. Just realize that they're there for your use, if needed.
One relatively universal concept needs to be mentioned at this point. A number of matches, options, extended matches, and so on permit the use of !, which is a logical NOT. When this appears in a rule, the very next reference is negated. So, if you see ! lo, you know that it says "not localhost." This refers to all except lo as a match.
The primary matches allow us general categories to work from, most of which have extensions to allow rule refinement. The primary matches are these:
-p --protocol <protocol> |
An ipv4 or ipv6 protocol, such as TCP, UDP, or ICMP |
-s --source <address/mask> |
A "where it came from" match |
-d --destination <address/mask> |
A "where it's going" match |
-i --in-interface <interface_name> |
The incoming interface specified |
-p --out-interface <interface_name> |
The outgoing interface specified |
-f --fragment |
Match for second and successive fragments (or with ! to match the first fragment) |
At this point, we'll not look at all the extended matches. These are explained in the man page and will be explained as we build a few common rules.
Only a few options are available, principally to provide more or different feedback. As with most utilities, you can always make things verbose by using -v. This means different things based on the command, but generally it expands the information you'll see. The -n provides numeric output rather than trying to do lookups for hostnames and services. This is much faster than waiting for iptables to do lookups and so will be used here. You can expand numbers with -x when you are listing rules. This will provide you an exact number rather than rounded numbers, abbreviated with K, M, or G for thousands, millions, or billions. And --line-numbers will allow you to see line positions if you want to use line numbers for your inserts.
The final part of the iptables command line is the target. Some targets can have extended targets, just as matches can have extended matches. In fact, only ACCEPT, MIRROR, and DROP don't have extensions available. You'll see some of these target extensions when we cover the nat and mangle tables.