Lets learn "About linux iptables"

-

 



Security is an important part of any system. In Linux systems, the firewall rules are responsible for providing security to the system. To configure the firewall rules in Linux, IPTables utility is used. Linux IPTables is a user-space program that helps to configure kernel rules to filter network packets and defining the NAT rules. In this tutorial, we'll learn in detail about different tables and chains in IPTables.                 

The high-level structure of IPTables

IPTables consist of in-built tables and those in-built tables contain different chains that can be in-built or user-defined and in each chain different rules are defined.
So the structure is IPTables -> In-built Tables -> Chains -> Rules


Now that we've learned about the high-level structure of iptables, let's dive into different in-build tables and its chains.

IPTables in-built tables and their built-in Chains

Basically, IPTables has 4 in-built tables

Filter Table

As the name suggests, Filter table is mainly used for filtering network packets. It is the most widely used IPTables table. In the iptable command, if you do not specify any table by default Filter table gets used. Filter table has the following in-built chains.
  • INPUT Chain: This chain is used for any packet coming to the system. 
  • OUTPUT Chain: This chain is used for any packet going out from the system.
  • FORWARD Chain: This chain is used for any packet routed through the system.

NAT Table

NAT means Network Address Translation. So NAT table is used for network address translation related rules. NAT Table has three in-built chains.
  • PREROUTING Chain: This chain modifies the packet before routing. This chain basically performs DNAT ( Destination NAT which means modifying the destination IP of the packet ). When a packet enters the system just before deciding if routing this required or not, this chain is used.
  • POSTROUTING Chain: This chain modifies the packet post routing. This chain basically performs SNAT ( Source NAT which means modifying the source IP of the packet ). In this case, translation happens just before packet leaves the system.
  • OUTPUT Chain: This chain is used for NAT for locally generated packets.

Mangle Table

Mangle table is used for packet alteration in various ways. This table can make changes to different header fields in the packet. For e.g, if you wanna change MTU, TTL in the packet header. you can use this table. Mangle table has the following in-built chains. 
  • PREROUTING Chain.
  • OUTPUT Chain.
  • FORWARD Chain.
  • INPUT Chain.
  • POSTROUTING Chain.

Raw Table

IPTables are a stateful firewall which means packets are inspected with respect to their state like a packet can be a part of new connection or existing connection. Raw table is used for packet alteration before the kernel starts tracking its state. Raw table has the following in-built chains.
  • PREROUTING Chain.
  • OUTPUT Chain.

Summarizing all tables in one diagram.

HOPE you like this tutorial. Please put down the comment below if you have any doubt. Linux IPTables rule structure is explained here. Stay tuned for more tutorials :)


Comments

Post a Comment

Popular posts from this blog

Lets learn "About kube proxy in iptables mode"

-
Image
In this tutorial, we'll learn about the Kube-proxy in iptables mode. Basically, we'll see how Kube-proxy create iptables that help in load balancing and service discovery. If you are not familiar with Linux IPTables I would recommend to check out my tutorial on IPTables here  first and then come back to read this tutorial. Kube-proxy Kube-proxy when running in iptables mode basically watch kube-apiserver for new endpoints and create corresponding iptables rules and iptables are fully responsible for service discover and proper routing of traffic to corresponding pods. Kube-proxy needs to run on all k8s worker nodes. Below is a small video describing the working of kube-proxy in iptables mode.  src:  https://www.slideshare.net/CJCullen/kubernetes-networking-55835829 Now that we know what Kube-proxy is and how it Kube-proxy works, let deep dive into the types of iptables Kube-proxy adds to the firewall. Kube-proxy added IPTables To learn this let's consider an example. Consid
Read more

Lets learn "System design for paste bin (or any text sharing website)"

-
Image
  In this tutorial, we'll learn about the system design for PasteBin. If you don't know what Pastebin is here goes its definition. Pastebin is a type of online content hosting service where users can store texts to share with others over the internet.  Pastebin system design requirements  Functional Basic - User should be able to paste the text, generate the link and share the link with other users. There should be the max size of the text that our system will support (say 10Mb) Users should be able to provide the custom URL path for the link created. Like if a user wants to create the links  www.pb.com/letlearn, he can give this URL and pastebin should create a link using this URL to share with others. The link or paste expiry feature should be there for each stored text. There can be default expiry time say 1 year but this should be configurable. Personalization means the user should be able to login to track all the pastes created by him and manage them. Non-Functional Durab
Read more

Lets learn "Factory design pattern"

-
 In this tutorial, we'll learn about the factory design pattern as in what it is, in which use cases this is being used and how it works. If you've are not familiar with what are software design patterns and what are its different types check out this tutorial. Introduction A factory design pattern is a creational design pattern that is related to object creation. In this pattern, we'll have a method to create an object without exposing its creation logic to the client. If a class method is creating an object it has to be static.  The idea is to create a static method ( factory method ) which instantiates a class without exposing its logic to the client and the client can use that method every time it needs to create an object of the class. The reason why the factory pattern is useful is that as it does not expose the logic of object creation, so if logic is changed, the client code need not to be changed. Usecases The place where this pattern is mostly used is library cod
Read more