<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Netfilter Overview</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="NetfilterOverview"></a>Netfilter Overview</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2003, 2005 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id288452"></a><p>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#Overview">Netfilter Overview</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Overview"></a>Netfilter Overview</h2></div></div></div><p>Netfilter consists of three tables: <span class="bold"><strong>Filter</strong></span>, <span class="bold"><strong>Nat</strong></span> and <span class="bold"><strong>Mangle</strong></span>. Each table has a number of build-in chains: <span class="bold"><strong>PREROUTING</strong></span>, <span class="bold"><strong>INPUT</strong></span>, <span class="bold"><strong>FORWARD</strong></span>, <span class="bold"><strong>OUTPUT</strong></span> and <span class="bold"><strong>POSTROUTING</strong></span>.</p><p>Rules in the various tables are used as follows:</p><div class="variablelist"><dl><dt><span class="term">Filter</span></dt><dd><p>Packet filtering (rejecting, dropping or accepting packets)</p></dd><dt><span class="term">Nat</span></dt><dd><p>Network Address Translation including DNAT, SNAT and Masquerading</p></dd><dt><span class="term">Mangle</span></dt><dd><p>General packet header modification such as setting the TOS value or marking packets for policy routing and traffic shaping.</p></dd></dl></div><p>The following diagram shows how packets traverse the various builtin chains within Netfilter. Note that not all table/chain combinations are used.</p><div align="center"><img src="images/Netfilter.png" align="middle" /></div><p>“<span class="quote">Local Process</span>” means a process running on the Shorewall system itself.</p><p>A more elaborate version of this flow is available <a class="ulink" href="http://shorewall.net/pub/shorewall/misc/netfilterflow.pdf" target="_self">here</a> and <a class="ulink" href="http://www.docum.org/docum.org/kptd/" target="_self">this one</a> contrasts the Netfilter flow with that of ipchains.</p><p>In the above diagram are boxes similar to this:</p><div><img src="images/Legend.png" /></div><p>The above box gives the name of the built-in chain (<span class="bold"><strong>INPUT</strong></span>) along with the names of the tables (<span class="bold"><strong>Mangle</strong></span> and <span class="bold"><strong>Filter</strong></span>) that the chain exists in and in the order that the chains are traversed. The above sample indicates that packets go first through the <span class="bold"><strong>INPUT</strong></span> chain of the <span class="bold"><strong>Mangle</strong></span> table then through the <span class="bold"><strong>INPUT</strong></span> chain of the <span class="bold"><strong>Filter</strong></span> table. When a chain is enclosed in parentheses, Shorewall does not use the named chain (<span class="bold"><strong>INPUT</strong></span>) in that table (<span class="bold"><strong>Mangle</strong></span>).</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>Keep in mind that chains in the <span class="bold"><strong>Nat</strong></span> table are <span class="bold"><strong>only traversed for new connection requests</strong></span> (including those related to existing connections) while the chains in the other tables are traversed on every packet.</p></div><p>The above diagram should help you understand the output of “<span class="quote">shorewall status</span>”. You may also wish to refer to <a class="ulink" href="PacketHandling.html" target="_self">this article</a> that describes the flow of packets through a Shorewall-generated firewall.</p><p>Here are some excerpts from “<span class="quote">shorewall status</span>” on a server with one interface (eth0):</p><pre class="programlisting">[root@lists html]# shorewall status Shorewall-1.4.7 Status at lists.shorewall.net - Mon Oct 13 12:51:13 PDT 2003 Counters reset Sat Oct 11 08:12:57 PDT 2003</pre><p>The first table shown is the <span class="bold"><strong>Filter</strong></span> table.</p><pre class="programlisting">Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 679K 182M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 785K 93M accounting all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID</pre><p>The following rule indicates that all traffic destined for the firewall that comes into the firewall on eth0 is passed to a chain called “<span class="quote">eth0_in</span>”. That chain will be shown further down.</p><pre class="programlisting"> 785K 93M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 accounting all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 1 packets, 60 bytes) pkts bytes target prot opt in out source destination 679K 182M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 922K 618M accounting all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 922K 618M fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0</pre><p>Here is the eth0_in chain:</p><pre class="programlisting">Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 785K 93M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 785K 93M net2fw all -- * * 0.0.0.0/0 0.0.0.0/0</pre><p>The “<span class="quote">dynamic</span>” chain above is where dynamic blacklisting is done.</p><p>Next comes the <span class="bold"><strong>Nat</strong></span> table:</p><pre class="programlisting">NAT Table Chain PREROUTING (policy ACCEPT 182K packets, 12M bytes) pkts bytes target prot opt in out source destination 20005 1314K net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 678K packets, 44M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 678K packets, 44M bytes) pkts bytes target prot opt in out source destination Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 638 32968 REDIRECT tcp -- * * 0.0.0.0/0 !206.124.146.177 tcp dpt:80 redir ports 3128 </pre><p>And finally, the <span class="bold"><strong>Mangle</strong></span> table:</p><pre class="programlisting">Mangle Table Chain PREROUTING (policy ACCEPT 14M packets, 2403M bytes) pkts bytes target prot opt in out source destination 1464K 275M pretos all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 14M packets, 2403M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15M packets, 7188M bytes) pkts bytes target prot opt in out source destination 1601K 800M outtos all -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 15M packets, 7188M bytes) pkts bytes target prot opt in out source destination Chain outtos (1 references) pkts bytes target prot opt in out source destination 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10 315K 311M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10 683 59143 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10 3667 5357K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08 Chain pretos (1 references) pkts bytes target prot opt in out source destination 271K 15M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10 730 41538 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08 2065 111K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08</pre></div></div></body></html>