iptables

from Wikipedia, the free encyclopedia
iptables
Basic data

developer Netfilter project team
Publishing year 1998
Current  version 1.8.3
( May 27, 2019 )
operating system Linux
programming language C.
category Firewall
License GPL ( Free Software )
German speaking No
netfilter.org

iptables is a user space - program to configure the tables ( tables ), which through the firewall in the Linux kernel (consisting of a number of Netfilter are provided modules). These tables contain chains ( chains ) and rules ( rules ). Different programs are currently used for different protocols; iptables is limited to IPv4 , for IPv6 there are ip6tables , for ARP it is arptables , and with ebtables there is a special component for Ethernet packages.

Since iptables requires extended system privileges, it must be run as root . Most Linux systems have iptables installed as / usr / sbin / iptables . Documentation can be viewed in the man pages using man iptables, if installed.

The term iptables is also often used to describe only the kernel components. x_tables is the name of the kernel module that carries the common code of all four modules ( v4 , v6 , arp and eb ) and provides the API for iptables extensions. As a result, Xtables often refers to the entire firewall infrastructure.

history

Netfilter and iptables were originally developed together, so there was some overlap in earlier development. See the Netfilter article.

Linux version 1.0 and higher has a packet filter. This originally came from BSD and was expanded in Linux version 2.0 under the name ipfwadm . Rusty Russell revised the packet filter again and made it available as ipchains . It was integrated in Linux 2.2. Around 1999 the kernel and with it ipchains were completely revised. Iptables emerged from ipchains and has been part of the "scope of delivery" since Kernel 2.4.

iptables retains the original basic idea of ​​ipfwadm: lists of rules, each of which specifies what is checked in a package and what should then be done with that package. ipchains introduced the concept of chains, and iptables expanded this to include tables. One table is responsible for NAT , another for filtering. In addition, the three points where packets are filtered on their “journey” have been changed so that each packet only passes through one filter point.

This division in turn enabled iptables to use information that the connection tracking subsystem had worked out - this information was previously bound to NAT. This means that iptables has more options than ipchains, as it can also monitor the status of a connection, redirect it, or stop and manipulate data packets based on the status, instead of just using the source or destination address. A firewall like iptables that fulfills these requirements is called stateful , while ipchains was only stateless , except in very limited exceptional cases .

The current version 1.8.5 was published on June 3, 2020.

The successor to iptables is nftables , which has been available since Linux kernel version 3.13.

Summary of the function

Iptables enables the system administrator to load tables that contain chains of rules for handling packets. Each table serves its own purpose . Packets are passed on within a chain through the sequential processing of rules. A rule can cause a jump or a call (goto) in another chain, and this can be nested multiple times. (A return returns to the next rule after the jump.) Every network packet that arrives or leaves the computer goes through at least one chain.

Packet flow graph. Packets start in a certain box and will take a certain path depending on the circumstances (e.g. routing).

The origin of the packet determines the chain in which processing begins. There are five predefined chains (which correspond to the five netfilter hooks), although a table does not necessarily have to have all of the chains. Predefined chains have a policy , e.g. B. DROP, which takes effect when a packet has reached the end of the chain (i.e. without having matched a rule). Further user-defined chains can be created, but these have no policy; if a packet hits the end of it, processing continues in the chain that originally triggered the jump. Empty chains are allowed.

PREROUTING
Packets end up in this chain before a routing decision is made.
INPUT
Parcel is delivered locally. (. N. B .: This has little to do with processes Local delivery is determined by the local control -Routingtabelle: )ip route show table local
FORWARD
All packets that were routed and not delivered locally pass this chain.
OUTPUT
Packages generated by your own computer appear here.
POST ROUTING
Routing decision has been made. Packets run through here again shortly before they are sent to the hardware.

Each rule in a chain contains specifications ( matches ) as to which packets it applies to. Rules can also an object ( target , for extensions) or judgment ( verdict ) included. When a packet runs through a chain, rules are checked one after the other. If a rule does not apply to the package, the next rule is applied. If, however, it applies, the action listed with goal / judgment is carried out, which can result in the packet continuing through the chain or not. Specifications represent the largest part of a set of rules because they contain the conditions for which a package is tested. These tests can be carried out for each layer in the OSI model, the --mac-sourceand -p tcp --dportparameters are to be mentioned . However, there are also protocol-independent options, e.g. B. -m time.

A package advances in a chain until either a rule applies to the package and a final judgment is made for the package (e.g. using ACCEPT or DROP) or until a rule contains RETURN as the judgment (which puts it back in the higher-level chain continues) or until the end of the chain is reached.

Front ends

Many manufacturers offer software to make setting rules easier. Text-based or graphical frontends allow users to create simple sets of rules with just a few clicks of the mouse; Scripts are often shell scripts (but other languages ​​are also possible) that call iptables or (the faster) iptables-restore with a series of predefined rules. Templates can also be used that are created using configuration files. Linux distributions often use templates, but also offer users the option of defining their own rules.

Examples:

Such front ends, generators and scripts are often limited by their templates and design. In addition, the rules generated in this way are usually not optimized for the respective use of the firewall, as automatic optimization in the front end would represent a high development effort. Users who have a good understanding of iptables and want an optimized set of rules are therefore advised to construct the rules themselves.

See also

literature

Web links

Individual evidence

  1. www.netfilter.org . (accessed on September 22, 2019).
  2. The iptables Open Source Project on Open Hub: Languages ​​Page . In: Open Hub . (accessed on September 3, 2018).
  3. iptables - iptables tree. Retrieved June 14, 2020 (English).
  4. The innovations of Linux 3.13 - c't Magazin , on January 20, 2014
  5. The innovations of Linux 4.10 - c't Magazin , on January 17th, 2017
  6. Linux 3.13: 1.2. nftables, the successor of iptables (English) - Linux Kernel Newbies , on January 19, 2014