<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Netfilter Overview</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="NetfilterOverview"></a>Netfilter Overview</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2003, 2005 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id288452"></a><p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation
License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#Overview">Netfilter Overview</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Overview"></a>Netfilter Overview</h2></div></div></div><p>Netfilter consists of three tables: <span class="bold"><strong>Filter</strong></span>, <span class="bold"><strong>Nat</strong></span> and
<span class="bold"><strong>Mangle</strong></span>. Each table has a number of
build-in chains: <span class="bold"><strong>PREROUTING</strong></span>, <span class="bold"><strong>INPUT</strong></span>, <span class="bold"><strong>FORWARD</strong></span>,
<span class="bold"><strong>OUTPUT</strong></span> and <span class="bold"><strong>POSTROUTING</strong></span>.</p><p>Rules in the various tables are used as follows:</p><div class="variablelist"><dl><dt><span class="term">Filter</span></dt><dd><p>Packet filtering (rejecting, dropping or accepting
packets)</p></dd><dt><span class="term">Nat</span></dt><dd><p>Network Address Translation including DNAT, SNAT and
Masquerading</p></dd><dt><span class="term">Mangle</span></dt><dd><p>General packet header modification such as setting the TOS
value or marking packets for policy routing and traffic
shaping.</p></dd></dl></div><p>The following diagram shows how packets traverse the various builtin
chains within Netfilter. Note that not all table/chain combinations are
used.</p><div align="center"><img src="images/Netfilter.png" align="middle" /></div><p>“<span class="quote">Local Process</span>” means a process running on the
Shorewall system itself.</p><p>A more elaborate version of this flow is available <a class="ulink" href="http://shorewall.net/pub/shorewall/misc/netfilterflow.pdf" target="_self">here</a>
and <a class="ulink" href="http://www.docum.org/docum.org/kptd/" target="_self">this one</a>
contrasts the Netfilter flow with that of ipchains.</p><p>In the above diagram are boxes similar to this:</p><div><img src="images/Legend.png" /></div><p>The above box gives the name of the built-in chain (<span class="bold"><strong>INPUT</strong></span>) along with the names of the tables
(<span class="bold"><strong>Mangle</strong></span> and <span class="bold"><strong>Filter</strong></span>) that the chain exists in and in the order
that the chains are traversed. The above sample indicates that packets go
first through the <span class="bold"><strong>INPUT</strong></span> chain of the
<span class="bold"><strong>Mangle</strong></span> table then through the <span class="bold"><strong>INPUT</strong></span> chain of the <span class="bold"><strong>Filter</strong></span> table. When a chain is enclosed in
parentheses, Shorewall does not use the named chain (<span class="bold"><strong>INPUT</strong></span>) in that table (<span class="bold"><strong>Mangle</strong></span>).</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>Keep in mind that chains in the <span class="bold"><strong>Nat</strong></span> table are <span class="bold"><strong>only
traversed for new connection requests</strong></span> (including those
related to existing connections) while the chains in the other tables
are traversed on every packet.</p></div><p>The above diagram should help you understand the output of
“<span class="quote">shorewall status</span>”. You may also wish to refer to <a class="ulink" href="PacketHandling.html" target="_self">this article</a> that describes the flow of
packets through a Shorewall-generated firewall.</p><p>Here are some excerpts from “<span class="quote">shorewall status</span>” on a
server with one interface (eth0):</p><pre class="programlisting">[root@lists html]# shorewall status
Shorewall-1.4.7 Status at lists.shorewall.net - Mon Oct 13 12:51:13 PDT 2003
Counters reset Sat Oct 11 08:12:57 PDT 2003</pre><p>The first table shown is the <span class="bold"><strong>Filter</strong></span>
table.</p><pre class="programlisting">Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
679K 182M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
785K 93M accounting all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID</pre><p>The following rule indicates that all traffic destined for the
firewall that comes into the firewall on eth0 is passed to a chain called
“<span class="quote">eth0_in</span>”. That chain will be shown further down.</p><pre class="programlisting"> 785K 93M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 accounting all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
679K 182M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
922K 618M accounting all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
922K 618M fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0</pre><p>Here is the eth0_in chain:</p><pre class="programlisting">Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
785K 93M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
785K 93M net2fw all -- * * 0.0.0.0/0 0.0.0.0/0</pre><p>The “<span class="quote">dynamic</span>” chain above is where dynamic blacklisting
is done.</p><p>Next comes the <span class="bold"><strong>Nat</strong></span> table:</p><pre class="programlisting">NAT Table
Chain PREROUTING (policy ACCEPT 182K packets, 12M bytes)
pkts bytes target prot opt in out source destination
20005 1314K net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 678K packets, 44M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 678K packets, 44M bytes)
pkts bytes target prot opt in out source destination
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
638 32968 REDIRECT tcp -- * * 0.0.0.0/0 !206.124.146.177 tcp dpt:80 redir ports 3128
</pre><p>And finally, the <span class="bold"><strong>Mangle</strong></span>
table:</p><pre class="programlisting">Mangle Table
Chain PREROUTING (policy ACCEPT 14M packets, 2403M bytes)
pkts bytes target prot opt in out source destination
1464K 275M pretos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 14M packets, 2403M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15M packets, 7188M bytes)
pkts bytes target prot opt in out source destination
1601K 800M outtos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 15M packets, 7188M bytes)
pkts bytes target prot opt in out source destination
Chain outtos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10
315K 311M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10
683 59143 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10
3667 5357K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source destination
271K 15M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10
730 41538 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08
2065 111K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08</pre></div></div></body></html>
