Skip to content

Instantly share code, notes, and snippets.

@marcinantkiewicz
Last active April 12, 2016 03:09
Show Gist options
  • Save marcinantkiewicz/73d1934c6897543ce5b8b5cc51254105 to your computer and use it in GitHub Desktop.
Save marcinantkiewicz/73d1934c6897543ce5b8b5cc51254105 to your computer and use it in GitHub Desktop.
1) DHCP - iptables rules are not reuqired to make DHCP work.
Linux kernel will not send traffic via ethernet interface untill it has an IP address assigned. DHCP client uses raw sockets to
communicate with the DHCP server, which happens before Iptables have change to process the traffic.
2) iptables rule = classifier (iptable match) + action (iptables target)
Chains in which rules are applied:
- mangle - used to control TOS attributes, MARKs, TTL. Single table.
- filter - policy decision take place here. Tables: forward (target behind firewall, input (traffic to firewall), output (return, or originating traffic).
- nat - changes to src/dst IPs. Tables:
-- preroute: DNAT, REDIRECT
-- postroute: SNAT, MASQUERADE
-- output: DNAT, REDIRECT
log:
--log-level
--log-prefix (add space after?, 29 char limit)
--log-uid
Note: output traffic will not go through the pre-route chain.
Note: fireall can filter traffic (implement policy), or deliver to an app (per policy) which can than forward/proxy traffic, implenting complementing or contradicting policy.
Modules
conntrack - allowing traffic requires the following states:
- new (SYN)
- established (active connection traffic that match the state attributes (window/sequence...)
- related (ICMP, also needed when using protocols with separate control and data conns eg. FTP)
Note:
cat /proc/net/tcp
sysctls related to iptables
ip route show table local
use policy for default deny
--append adds rule to the end of the chain
--insert adds rule to the head of the chain, or at specified line number
--check will verify that specified rule already exists
invoke: iptables -nvL --line-numbers
ref:
http://www.netfilter.org/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment