In this lesson, we'll introduce the Linux iptables which is a utility command for configuring Linux, Kernel, Firewall implemented within the net filter project. We show how it provides packet filtering for address translation capabilities to realize the firewall function. We use the processing or packets that come in from of the outer firewall as an example. Netfilter is a set of hooks inside the Linux kernel deployed by the netfilter organization that allow kernel modules to register callback functions with the network stack. A register callback function then called back when every packet passing through or traverses the respective hook within the network stack. And when this callback function executes, IP table will be examine. Iptable is a generic table structure for the definition of rulesets. Each rule within an iptable consists of a number of classifier that are use to matching, whatever the packet header information and one connected actions. The action on how to deal with these packet coming in. And they are called IP table target or jump. An utility command is used for system administration to create iptable with the same name. When packets processed by the kernel, the register callback function will be triggered and as a cue only those through with the classify matching their packet their action portion of the rule will be carried out and there as a manner. Here we show how we use iptables. First, we can use internet firewall based on stateless and stateful packet filtering mechanism provided. Second, we use SNAT, a source network address translation and masquerading. For sharing internet access if we don't have enough public IP addresses. Third, we use the destination NAT, destination Network Address Translation to map the incoming requests destination IP address into the internal IP address so that we can route into the inside servers typically in the zone. Fourth we use the TC traffic control IProute2 which is a utility routing for control TCP and UDP networking and traffic control. Those two systems can allow us to build sophisticated quality of service and policy-based routing. We can do packet manipulations. They're called mangling, like alternating bit in the IP header, so that we're changing the priority Leaking the packet for example. Here, we have three different kind here. Type of Service bit like TOS which is the second byte in the IP header for QoS RFC791. For example, we have Differential Service Control Point [INAUDIBLE] number six and number seven of the TOS field which is defined the RFC3168. To illustrate a specification of iptables rules and provide a context, we use a DMZ example we discussed earlier. In last session, we assign the 192.168.10.0/24 subnet address, which is a private LAN address space for DMZ subnet and we assigned 10.0.0.0/8 for the internet. We also assign specific ip address for the key ethernet interfaces of the outer firewall, and the inner firewall. For example, the ether zero of the network interface of outer firewall the interface facing the Internet is configured with 128.198.60.11 to slash 14, 60.14 popping IP address. Some of these, I think 11 is used as a main interface IP address. The other is configured as areas. Typical organizations are only given a set up of unlimited public IP addresses. They're configured in public phase inside of a network interface of the outer fiFirewall typically. There's a one of the outer interface, which is the inside one. Facing the demilitarized zone subnet is configured with 192.168.10.1, which is the default gateway for the demilitarized zone subnet. Since any outbound Internet traffics we are routed through this default gateway address from within the subnet. Including those internet traffic relays by the firewall from internet. So is a zero of inner firewall is configured with 192.168.10.2. There is one which inside of that in a firewall is connect with the intranet. There is one in a firewall interface is configured with 10.0.0.1 which is the default gateway address for the whole intranet. Since all the outbound traffic needs to run through this interface, through the inner firewall to the outside. First let us configure the outer firewall and focus on inbound traffic through its eth0. When the packet is transferred from user interface driver to the Linux kernel. The in the IP module will intercept the packet and triggers execution of prerouting chain in the network's translation table, or nat. The nat has three predefined chains. Prerouting, output, and postrouting. A chain It define to contain a set of IP table rule. Here we assume IP table rule such as the ones show with a light green background on the top was inserted before the packet arrived. The -t nat -A PREROUTING option specifies a rule is to be inserted to the PREROUTING Chain for execution. The next FOR option, highlights in green is a classifiers for the rule. It try to matching any package with a destination IP address 128.198.60.12 and TCP protocol port80 which is HTP web protocol, and you come in from the user 0 interface, which is RSI. The next two, this is of course destination network address translation. The next two options highlight in pink is the action part of the root. It specifies the packet matching that's classified will be performed with. DNAT, which stands for destination network address translation operation. We specify that by -j DNAT option, and with an additional parameter, which is the destination IP address. And that destination IP address Is 192.168.10.3. So the incoming destination address will be replacing with this one. And this destination address modification is specified by the option --2 destination option. If the packet does not matching this rule. You'll hang over to the next one and the next one in the prerouting chain. And this term in sequential manner untill you reach the end of the chain and then the control is hanging back, switch back to the normal kind of processing. Processing. The next big steps of that is the routing module, routing decision where the packet destination IP address will be use to match with the routing table entry and then route to specific In the face. If the incoming packet has a destination ips 128.198.60.12 and the destination port is port 80, it's destination address will be changed based on the rule to 192.168.10.3. Such as IP forwarding, forwarding will guard against such forwarding. If it's 0, no forwarding, if 1, typically in our case the firewall setting it will allow forwarding. The net filter also inserts a hook in the forwarding code for execute the forwarding chain in the filter table. Let's assume that three IP table, in the light peach background box, will insert to the Firewall chain before the packet arrive. The packet will go through each of firewall chain rule until admit these three rule. The first IP table rule specify any packet with a source IP address equal to 199.66.1 Indicate by the minus or -s option will match the classify and will be rejected. It was indicate by the -J option. The reject means on ICMP error, packet will be return to the sender. Your packet contains 1 to A, 200 to 2 the packet will not match these first IP table rules. It will match against the second one, where the codified match in the forward the package match minus, minus low prefix will be performed. And this best indicated we're going to insert a system null breaker with prefix pronounced some content provided by the system. The package then matching against the third rule here. In matching the constant for I so that the action minus the -j LOG will be executed, and it means the drop of the packet selently without even reply to the center. In this case, the packet is simply removed from the packet processing queue. One would be, the job will not notify the hacker. The reject will notify the center. Know that the prerouting chain need to be performed before the routing decision is done. The forwarding chain will try to catch all the traffic that are sent across the network interface.
