SlideShare a Scribd company logo

Linux Network Filtering

James Daniel
James Daniel

A brief overview of how the ubiquitous 'iptables' command works, under the hood. This is by no means complete, and is intended as a primer. I presented these slides in addition to an interactive demo as a guest lecturer at a computer network security class at DePaul University, Chicago IL.

Technology
1 of 22
Download to read offline
Linux Networks & Filtering James Daniel 2017-09-21
Overview ● Linux Networking Overview ● Linux Network Administration ● IPTables
Linux Networking Overview
● Kernel handles TCP/IP traffic, with some exceptions (beyond scope of this talk) ● TCP/IP stack is complicated, and absolutely critical to the functioning of OS ○ Stack located within the kernel, NOT USERSPACE ○ Will not cover every detail here -- sorry! ● Some Subroutines and System Calls - EGRESS ○ Layer 5 - write(), sendto(), sendmsg() -- all can send data over network, syscalls ○ Layer 4 - tcp_sendmsg (see tcp.c kernel source code) -- can emit data frames at appropriate time ○ Layer 3 ■ ip_queue_xmit() - routing, create IPv4 header ■ nf_hook() - performs network filtering ■ ip_output() - performs post-routing filtering ○ Layer 2 - primarily looking at queueing packets / discipline (qdisc) Network Fundamentals Credit: The Linux Foundation
● Some Subroutines and System Calls - INGRESS ○ Layer 2 - netif_receive_skb() --- feeds a packet into the kernel ○ Layer 3 ■ ARP - arp_rcv() ■ IP - ip_rcv() ○ Layer 4 ■ TCP - tcp_v4_rcv() ○ Layer 5 - read(), rcvfrom(), recvmsg() - syscalls, receive data from network Network Fundamentals Credit: The Linux Foundation
Network Fundamentals Credit: University of New Hampshire, Computer Science Department
Network Fundamentals Credit: Wikipedia
Network Fundamentals Credit: Pranesh Santikellur
Linux Networking Administration
Network Administration ● Network Information ○ ip route show displays host-based routing tables ○ ip address show displays L3 information ○ ip link show displays L2 information ● Socket Information ○ ss -tanup displays socket information ● Others* ○ route, netstat -rn displays host-based routing tables ○ ifconfig -a displays all available network interfaces ○ netstat -tulpn displays socket information * some deprecated due to reliance on net-tools, which is deprecated
● Static Network Configuration (Temporary) ○ ip route add default via <ip_addr> add default route ○ ip address add <ip_addr> dev <dev> add l3 ip address ● Static Network Configuration (Persistent, RHEL-derivatives) ○ /etc/sysconfig/network global nic configuration ○ /etc/sysconfig/network-scripts/ifcfg-* per-nic configuration ● Static Network Configuration (Persistent, Debian-derivatives) ○ /etc/network/interfaces global nic configuration ○ /etc/network/interfaces.d/<nic>.cfg per-nic configuration ● Others* ○ route add default via <ip_addr> ○ ifconfig <dev> <ip_addr> Network Administration
Network Administration ● DNS Configuration ○ /etc/resolv.conf resolver configuration, getnameinfo() ○ /etc/nsswitch.conf service provider -name service switch per category defs ○ /etc/hosts service provider - for instance consumed by dnsmasq for A records
IPTables
IPTables Fundamentals ● What is iptables? ○ iptables is a generic table structure for the definition of rulesets. ○ Each rule within an IP table consists of a number of ■ Classifiers (iptables matches) ■ And one connected action (iptables target) ● Kernel module is netfilter ○ Must be loaded into the kernel (2.4.X+) ○ Performs stateless and stateful network filtering ● Consists of three tables ○ Mangle - handle special packets ○ NAT - perform network address translation for network behind the server ○ Filter - perform packet filtering for the server itself ● Each table can have >= 1 chain ● IPTables can forward packets, perform NAT ○ More network route/switch gear becoming Linux/UNIX based (i.e. Arista, Cumulus Networks) Credit: netfilter project, NTU CSIE
Tangent - OCP Switches Credit: OCP/Facebook, James R. Hamilton Cumulus NetworksFacebook 6-Pack (40GE)
IPTables Fundamentals ● Three Tables ○ Mangle - handle special packets ■ INPUT - Ingress network traffic ■ OUTPUT - Egress network traffic ■ FORWARD - Forward to network behind server ○ NAT - perform network address translation for network behind the server ■ PREROUTING - Rules PRIOR to routing decision ■ POSTROUTING - Rules AFTER the routing decision ■ OUTPUT - Rules for transmitted packets ○ Filter - perform packet filtering for the server itself ● Targets, Jumps ○ Handle packet that is a perfect match with match section of the rule ○ Target Examples: ACCEPT, DROP, CLASSIFY (qdisc), CLUSTERIP, DNAT/SNAT, DCSP/ECN Credit: NTU CSIE
IPTables Fundamentals ● Connection Tracking ○ Not a state machine, but people refer to this anyways ○ Facilitated by conntrack ■ Can be a kernel module ■ Can just internal to the kernel ○ Userland States: NEW, ESTABLISHED, RELATED, INVALID, UNTRACKED ● Commands for conntrack ○ If ip_conntrack kernel module loaded ■ /proc/net/ip_conntrack Credit: University of New Hampshire, Computer Science Department
IPTables Fundamentals Credit: iptables.info
IPTables Fundamentals ● ip_conntrack example (cat /proc/net/ip_conntrack) tcp 6 117 SYN_SENT src=192.168.1.6 dst=192.168.1.9 sport=32775 dport=22 [UNREPLIED] src=192.168.1.9 dst=192.168.1.6 sport=22 dport=32775 [ASSURED] use=2 Credit: iptables.info
IPTables Fundamentals Credit: Advanced Internet Technologies
IPTables Fundamentals Credit: NTU CSIE
IPTables Commands ● IPTables Basic Args ○ -L = list all chains; -A append to a chain, -P ● Default Policy ○ iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP ● Ingress Filter by Protocol (Example: ICMP Pings) ○ iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT ● Egress Filter by Protocol (Example: ICMP Pings) ○ iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Recommended

NetCat - the suiss army knife of network
NetCat - the suiss army knife of networkNetCat - the suiss army knife of network
NetCat - the suiss army knife of networkMehdi Djoughi
 
Tc basics
Tc basicsTc basics
Tc basicsjeromy fu
 
NS3 Tech Talk
NS3 Tech TalkNS3 Tech Talk
NS3 Tech TalkRodrigo Melo
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic ControlSUSE Labs Taipei
 
Network emulator
Network emulatorNetwork emulator
Network emulatorjeromy fu
 
BKK16-304 The State of GDB on AArch64
BKK16-304 The State of GDB on AArch64BKK16-304 The State of GDB on AArch64
BKK16-304 The State of GDB on AArch64Linaro
 
Building Topology in NS3
Building Topology in NS3Building Topology in NS3
Building Topology in NS3Rahul Hada
 
1 session installation
1 session installation1 session installation
1 session installationRahul Hada
 

Recommended

NetCat - the suiss army knife of network
NetCat - the suiss army knife of networkNetCat - the suiss army knife of network
NetCat - the suiss army knife of networkMehdi Djoughi
 
Tc basics
Tc basicsTc basics
Tc basicsjeromy fu
 
NS3 Tech Talk
NS3 Tech TalkNS3 Tech Talk
NS3 Tech TalkRodrigo Melo
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic ControlSUSE Labs Taipei
 
Network emulator
Network emulatorNetwork emulator
Network emulatorjeromy fu
 
BKK16-304 The State of GDB on AArch64
BKK16-304 The State of GDB on AArch64BKK16-304 The State of GDB on AArch64
BKK16-304 The State of GDB on AArch64Linaro
 
Building Topology in NS3
Building Topology in NS3Building Topology in NS3
Building Topology in NS3Rahul Hada
 
1 session installation
1 session installation1 session installation
1 session installationRahul Hada
 
NS3 Overview
NS3 OverviewNS3 Overview
NS3 OverviewRahul Hada
 
Ns3 implementation wifi
Ns3 implementation wifiNs3 implementation wifi
Ns3 implementation wifiSalah Amean
 
Lustre, RoCE, and MAN
Lustre, RoCE, and MANLustre, RoCE, and MAN
Lustre, RoCE, and MANinside-BigData.com
 
BUD17-300: Journey of a packet
BUD17-300: Journey of a packetBUD17-300: Journey of a packet
BUD17-300: Journey of a packetLinaro
 
6LoWPAN
6LoWPAN 6LoWPAN
6LoWPAN Pradeep Kumar TS
 
Tutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slidesTutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slidesVinayagam D
 
BUD17-TR02: Upstreaming 101
BUD17-TR02: Upstreaming 101 BUD17-TR02: Upstreaming 101
BUD17-TR02: Upstreaming 101 Linaro
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughThomas Graf
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
 
Ground to ns3 - Basic wireless topology implementation
Ground to ns3 - Basic wireless topology implementationGround to ns3 - Basic wireless topology implementation
Ground to ns3 - Basic wireless topology implementationJawad Khan
 
Dpdk accelerated Ostinato
Dpdk accelerated OstinatoDpdk accelerated Ostinato
Dpdk accelerated Ostinatopstavirs
 
Comparison between-ipv6-and-6 lowpan
Comparison between-ipv6-and-6 lowpanComparison between-ipv6-and-6 lowpan
Comparison between-ipv6-and-6 lowpanInformation Technology University
 
Building Complex Topology using NS3
Building Complex Topology using NS3Building Complex Topology using NS3
Building Complex Topology using NS3Rahul Hada
 
Deploy ipv6 multicast_v0_1
Deploy ipv6 multicast_v0_1Deploy ipv6 multicast_v0_1
Deploy ipv6 multicast_v0_1Nguyen Thanh
 
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANLinux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANSamsung Open Source Group
 
6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking Protocol6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking ProtocolSamsung Open Source Group
 
A Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsA Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsPriyanka Aash
 
Accelerating Networked Applications with Flexible Packet Processing
Accelerating Networked Applications with Flexible Packet ProcessingAccelerating Networked Applications with Flexible Packet Processing
Accelerating Networked Applications with Flexible Packet ProcessingOpen-NFP
 
Networking Basics with Linux
Networking Basics with LinuxNetworking Basics with Linux
Networking Basics with LinuxHenry Osborne
 
Bt0076 tcp ip
Bt0076 tcp ipBt0076 tcp ip
Bt0076 tcp ipsmumbahelp
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network InterfacesKernel TLV
 
netLec5.pdf
netLec5.pdfnetLec5.pdf
netLec5.pdfMuthuramanElangovan
 

More Related Content

What's hot

Ns3 implementation wifi
Ns3 implementation wifiNs3 implementation wifi
Ns3 implementation wifiSalah Amean
 
BUD17-300: Journey of a packet
BUD17-300: Journey of a packetBUD17-300: Journey of a packet
BUD17-300: Journey of a packetLinaro
 
Tutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slidesTutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slidesVinayagam D
 
BUD17-TR02: Upstreaming 101
BUD17-TR02: Upstreaming 101 BUD17-TR02: Upstreaming 101
BUD17-TR02: Upstreaming 101 Linaro
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughThomas Graf
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
 
Ground to ns3 - Basic wireless topology implementation
Ground to ns3 - Basic wireless topology implementationGround to ns3 - Basic wireless topology implementation
Ground to ns3 - Basic wireless topology implementationJawad Khan
 
Dpdk accelerated Ostinato
Dpdk accelerated OstinatoDpdk accelerated Ostinato
Dpdk accelerated Ostinatopstavirs
 
Building Complex Topology using NS3
Building Complex Topology using NS3Building Complex Topology using NS3
Building Complex Topology using NS3Rahul Hada
 
Deploy ipv6 multicast_v0_1
Deploy ipv6 multicast_v0_1Deploy ipv6 multicast_v0_1
Deploy ipv6 multicast_v0_1Nguyen Thanh
 
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANLinux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANSamsung Open Source Group
 
A Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsA Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsPriyanka Aash
 
Accelerating Networked Applications with Flexible Packet Processing
Accelerating Networked Applications with Flexible Packet ProcessingAccelerating Networked Applications with Flexible Packet Processing
Accelerating Networked Applications with Flexible Packet ProcessingOpen-NFP
 
Networking Basics with Linux
Networking Basics with LinuxNetworking Basics with Linux
Networking Basics with LinuxHenry Osborne
 

What's hot (20)

NS3 Overview
NS3 OverviewNS3 Overview
NS3 Overview
 
Ns3 implementation wifi
Ns3 implementation wifiNs3 implementation wifi
Ns3 implementation wifi
 
Lustre, RoCE, and MAN
Lustre, RoCE, and MANLustre, RoCE, and MAN
Lustre, RoCE, and MAN
 
BUD17-300: Journey of a packet
BUD17-300: Journey of a packetBUD17-300: Journey of a packet
BUD17-300: Journey of a packet
 
6LoWPAN
6LoWPAN 6LoWPAN
6LoWPAN
 
Tutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slidesTutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slides
 
BUD17-TR02: Upstreaming 101
BUD17-TR02: Upstreaming 101 BUD17-TR02: Upstreaming 101
BUD17-TR02: Upstreaming 101
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking Walkthrough
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
 
Ground to ns3 - Basic wireless topology implementation
Ground to ns3 - Basic wireless topology implementationGround to ns3 - Basic wireless topology implementation
Ground to ns3 - Basic wireless topology implementation
 
Dpdk accelerated Ostinato
Dpdk accelerated OstinatoDpdk accelerated Ostinato
Dpdk accelerated Ostinato
 
Comparison between-ipv6-and-6 lowpan
Comparison between-ipv6-and-6 lowpanComparison between-ipv6-and-6 lowpan
Comparison between-ipv6-and-6 lowpan
 
Building Complex Topology using NS3
Building Complex Topology using NS3Building Complex Topology using NS3
Building Complex Topology using NS3
 
Deploy ipv6 multicast_v0_1
Deploy ipv6 multicast_v0_1Deploy ipv6 multicast_v0_1
Deploy ipv6 multicast_v0_1
 
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANLinux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
 
6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking Protocol6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking Protocol
 
A Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsA Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm Basebands
 
Accelerating Networked Applications with Flexible Packet Processing
Accelerating Networked Applications with Flexible Packet ProcessingAccelerating Networked Applications with Flexible Packet Processing
Accelerating Networked Applications with Flexible Packet Processing
 
Networking Basics with Linux
Networking Basics with LinuxNetworking Basics with Linux
Networking Basics with Linux
 
Bt0076 tcp ip
Bt0076 tcp ipBt0076 tcp ip
Bt0076 tcp ip
 

Similar to Linux Network Filtering

Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network InterfacesKernel TLV
 
Geep networking stack-linuxkernel
Geep networking stack-linuxkernelGeep networking stack-linuxkernel
Geep networking stack-linuxkernelKiran Divekar
 
TC Flower Offload
TC Flower OffloadTC Flower Offload
TC Flower OffloadNetronome
 
Networks Have Layers - Understanding The OSI Model
Networks Have Layers - Understanding The OSI ModelNetworks Have Layers - Understanding The OSI Model
Networks Have Layers - Understanding The OSI ModelBrandon Checketts
 
Kubernetes from scratch at veepee sysadmins days 2019
Kubernetes from scratch at veepee sysadmins days 2019Kubernetes from scratch at veepee sysadmins days 2019
Kubernetes from scratch at veepee sysadmins days 2019🔧 Loïc BLOT
 
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...OpenStack Korea Community
 
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...Alexander Krizhanovsky
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1n|u - The Open Security Community
 
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceAdding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceSamsung Open Source Group
 
Rlite software-architecture (1)
Rlite software-architecture (1)Rlite software-architecture (1)
Rlite software-architecture (1)ARCFIRE ICT
 
Ocpeu14
Ocpeu14Ocpeu14
Ocpeu14KALRAY
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
Linux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
Linux Stammtisch Munich: Ceph - Overview, Experiences and OutlookLinux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
Linux Stammtisch Munich: Ceph - Overview, Experiences and OutlookDanny Al-Gaaf
 
20160927-tierney-improving-performance-40G-100G-data-transfer-nodes.pdf
20160927-tierney-improving-performance-40G-100G-data-transfer-nodes.pdf20160927-tierney-improving-performance-40G-100G-data-transfer-nodes.pdf
20160927-tierney-improving-performance-40G-100G-data-transfer-nodes.pdfJunZhao68
 
High performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User GroupHigh performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User GroupHungWei Chiu
 
Introduction to DPDK
Introduction to DPDKIntroduction to DPDK
Introduction to DPDKKernel TLV
 

Similar to Linux Network Filtering (20)

Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
 
netLec5.pdf
netLec5.pdfnetLec5.pdf
netLec5.pdf
 
Geep networking stack-linuxkernel
Geep networking stack-linuxkernelGeep networking stack-linuxkernel
Geep networking stack-linuxkernel
 
TC Flower Offload
TC Flower OffloadTC Flower Offload
TC Flower Offload
 
Networks Have Layers - Understanding The OSI Model
Networks Have Layers - Understanding The OSI ModelNetworks Have Layers - Understanding The OSI Model
Networks Have Layers - Understanding The OSI Model
 
Kubernetes from scratch at veepee sysadmins days 2019
Kubernetes from scratch at veepee sysadmins days 2019Kubernetes from scratch at veepee sysadmins days 2019
Kubernetes from scratch at veepee sysadmins days 2019
 
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
 
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
Skydive 31 janv. 2016
Skydive 31 janv. 2016Skydive 31 janv. 2016
Skydive 31 janv. 2016
 
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceAdding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
 
Rlite software-architecture (1)
Rlite software-architecture (1)Rlite software-architecture (1)
Rlite software-architecture (1)
 
Ocpeu14
Ocpeu14Ocpeu14
Ocpeu14
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
 
Linux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
Linux Stammtisch Munich: Ceph - Overview, Experiences and OutlookLinux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
Linux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
 
20160927-tierney-improving-performance-40G-100G-data-transfer-nodes.pdf
20160927-tierney-improving-performance-40G-100G-data-transfer-nodes.pdf20160927-tierney-improving-performance-40G-100G-data-transfer-nodes.pdf
20160927-tierney-improving-performance-40G-100G-data-transfer-nodes.pdf
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In Depth
 
High performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User GroupHigh performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User Group
 
Introduction to DPDK
Introduction to DPDKIntroduction to DPDK
Introduction to DPDK
 

Recently uploaded

AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

Linux Network Filtering

  • 1. Linux Networks & Filtering James Daniel 2017-09-21
  • 2. Overview ● Linux Networking Overview ● Linux Network Administration ● IPTables
  • 4. ● Kernel handles TCP/IP traffic, with some exceptions (beyond scope of this talk) ● TCP/IP stack is complicated, and absolutely critical to the functioning of OS ○ Stack located within the kernel, NOT USERSPACE ○ Will not cover every detail here -- sorry! ● Some Subroutines and System Calls - EGRESS ○ Layer 5 - write(), sendto(), sendmsg() -- all can send data over network, syscalls ○ Layer 4 - tcp_sendmsg (see tcp.c kernel source code) -- can emit data frames at appropriate time ○ Layer 3 ■ ip_queue_xmit() - routing, create IPv4 header ■ nf_hook() - performs network filtering ■ ip_output() - performs post-routing filtering ○ Layer 2 - primarily looking at queueing packets / discipline (qdisc) Network Fundamentals Credit: The Linux Foundation
  • 5. ● Some Subroutines and System Calls - INGRESS ○ Layer 2 - netif_receive_skb() --- feeds a packet into the kernel ○ Layer 3 ■ ARP - arp_rcv() ■ IP - ip_rcv() ○ Layer 4 ■ TCP - tcp_v4_rcv() ○ Layer 5 - read(), rcvfrom(), recvmsg() - syscalls, receive data from network Network Fundamentals Credit: The Linux Foundation
  • 6. Network Fundamentals Credit: University of New Hampshire, Computer Science Department
  • 10. Network Administration ● Network Information ○ ip route show displays host-based routing tables ○ ip address show displays L3 information ○ ip link show displays L2 information ● Socket Information ○ ss -tanup displays socket information ● Others* ○ route, netstat -rn displays host-based routing tables ○ ifconfig -a displays all available network interfaces ○ netstat -tulpn displays socket information * some deprecated due to reliance on net-tools, which is deprecated
  • 11. ● Static Network Configuration (Temporary) ○ ip route add default via <ip_addr> add default route ○ ip address add <ip_addr> dev <dev> add l3 ip address ● Static Network Configuration (Persistent, RHEL-derivatives) ○ /etc/sysconfig/network global nic configuration ○ /etc/sysconfig/network-scripts/ifcfg-* per-nic configuration ● Static Network Configuration (Persistent, Debian-derivatives) ○ /etc/network/interfaces global nic configuration ○ /etc/network/interfaces.d/<nic>.cfg per-nic configuration ● Others* ○ route add default via <ip_addr> ○ ifconfig <dev> <ip_addr> Network Administration
  • 12. Network Administration ● DNS Configuration ○ /etc/resolv.conf resolver configuration, getnameinfo() ○ /etc/nsswitch.conf service provider -name service switch per category defs ○ /etc/hosts service provider - for instance consumed by dnsmasq for A records
  • 14. IPTables Fundamentals ● What is iptables? ○ iptables is a generic table structure for the definition of rulesets. ○ Each rule within an IP table consists of a number of ■ Classifiers (iptables matches) ■ And one connected action (iptables target) ● Kernel module is netfilter ○ Must be loaded into the kernel (2.4.X+) ○ Performs stateless and stateful network filtering ● Consists of three tables ○ Mangle - handle special packets ○ NAT - perform network address translation for network behind the server ○ Filter - perform packet filtering for the server itself ● Each table can have >= 1 chain ● IPTables can forward packets, perform NAT ○ More network route/switch gear becoming Linux/UNIX based (i.e. Arista, Cumulus Networks) Credit: netfilter project, NTU CSIE
  • 15. Tangent - OCP Switches Credit: OCP/Facebook, James R. Hamilton Cumulus NetworksFacebook 6-Pack (40GE)
  • 16. IPTables Fundamentals ● Three Tables ○ Mangle - handle special packets ■ INPUT - Ingress network traffic ■ OUTPUT - Egress network traffic ■ FORWARD - Forward to network behind server ○ NAT - perform network address translation for network behind the server ■ PREROUTING - Rules PRIOR to routing decision ■ POSTROUTING - Rules AFTER the routing decision ■ OUTPUT - Rules for transmitted packets ○ Filter - perform packet filtering for the server itself ● Targets, Jumps ○ Handle packet that is a perfect match with match section of the rule ○ Target Examples: ACCEPT, DROP, CLASSIFY (qdisc), CLUSTERIP, DNAT/SNAT, DCSP/ECN Credit: NTU CSIE
  • 17. IPTables Fundamentals ● Connection Tracking ○ Not a state machine, but people refer to this anyways ○ Facilitated by conntrack ■ Can be a kernel module ■ Can just internal to the kernel ○ Userland States: NEW, ESTABLISHED, RELATED, INVALID, UNTRACKED ● Commands for conntrack ○ If ip_conntrack kernel module loaded ■ /proc/net/ip_conntrack Credit: University of New Hampshire, Computer Science Department
  • 19. IPTables Fundamentals ● ip_conntrack example (cat /proc/net/ip_conntrack) tcp 6 117 SYN_SENT src=192.168.1.6 dst=192.168.1.9 sport=32775 dport=22 [UNREPLIED] src=192.168.1.9 dst=192.168.1.6 sport=22 dport=32775 [ASSURED] use=2 Credit: iptables.info
  • 20. IPTables Fundamentals Credit: Advanced Internet Technologies
  • 22. IPTables Commands ● IPTables Basic Args ○ -L = list all chains; -A append to a chain, -P ● Default Policy ○ iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP ● Ingress Filter by Protocol (Example: ICMP Pings) ○ iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT ● Egress Filter by Protocol (Example: ICMP Pings) ○ iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT