netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different netfilter modules) and the chains and rules it stores​. Many systems use iptables/netfilter, Linux's native packet filtering/mangling framework since Linux 2.4, be it home routers or sophisticated cloud network stacks. In this session, we will talk about the netfilter framework and its facilities, explain how basic filtering and mangling use-cases are implemented using iptables, and introduce some less common but powerful extensions of iptables. Shmulik Ladkani, Chief Architect at Nsof Networks. Long time network veteran and kernel geek. Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration. Some billions of forwarded packets later, Shmulik left his position as Jungo's lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud-based service, focusing around virtualization systems, network virtualization and SDN.​ Recently he co-founded Nsof Networks, where he's been busy architecting network infrastructure as a cloud-based service, gazing at internet routes in astonishment, and playing the chkuku.

3. ●
●
●
○
○
○
○

4. ●
○
○
○
●
○
○
○

6. …

8. ●
●
○
○

9. ●
●
●
●
●
●
●

10. ip_rcv_finish()
ip_rcv()
ip_local_deliver_finish()
ip_local_deliver()
ip_forward()
ip_forward_finish()
ip_local_out()
dst_output()
ip_output()
ip_finish_output()

11. /*
* Main IP Receive routine.
*/
int ip_rcv(struct sk_buff *skb, struct net_device *dev,
struct packet_type *pt, struct net_device *orig)
{
...
return NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING,
net, NULL, skb, dev, NULL, ip_rcv_finish);
}

12. /* Activate hook; either okfn or kfree_skb called, unless a hook
returns NF_STOLEN (in which case, it's up to the hook to deal with
the consequences).
Returns -ERRNO if packet dropped. Zero means queued, stolen or accepted.
*/
static inline int
NF_HOOK_THRESH(uint8_t pf, unsigned int hook, struct net *net,
struct sock *sk, struct sk_buff *skb,
struct net_device *in, struct net_device *out,
int (*okfn)(struct net *, struct sock *, struct sk_buff *),
int thresh)
{
int ret = nf_hook_thresh(pf, hook, net, sk, skb, in, out, okfn, thresh);
if (ret == 1)
ret = okfn(net, sk, skb);
return ret;
}

13. int nf_register_net_hook(struct net *net,
const struct nf_hook_ops *ops);
int nf_register_net_hooks(struct net *net,
const struct nf_hook_ops *reg,
unsigned int n);
int nf_register_hook(struct nf_hook_ops *reg);
int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n);

14. static struct nf_hook_ops ipv4_synproxy_ops[] = {
{
.hook = ipv4_synproxy_hook,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_CONNTRACK_CONFIRM - 1,
.priv = NULL,
},
{
.hook = ipv4_synproxy_hook,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP_PRI_CONNTRACK_CONFIRM - 1,
.priv = NULL,
},
};

15. static unsigned int
ipv4_synproxy_hook(void *priv, struct sk_buff *skb,
const struct nf_hook_state *nhs)
{
if (...)
return NF_ACCEPT;
...
if (...)
return NF_DROP;
return NF_ACCEPT;
}

16. ●
●
●
●
●

17. enum {
NFPROTO_UNSPEC = 0,
NFPROTO_INET = 1,
NFPROTO_IPV4 = 2,
NFPROTO_ARP = 3,
NFPROTO_NETDEV = 5,
NFPROTO_BRIDGE = 7,
NFPROTO_IPV6 = 10,
NFPROTO_DECNET = 12,
NFPROTO_NUMPROTO,
};

19. ●
●
●
●
○
●

21. ●
●

24. # iptables -t filter -P INPUT DROP
# iptables -P OUTPUT ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# iptables -A INPUT -s 40.5.6.7 -p tcp --dport 22 -j ACCEPT
# iptables -A INPUT -m mark --mark 0xE -j ACCEPT

25. # iptables -t mangle -A PREROUTING
-p tcp --dport 22 -j MARK --set-mark 2
# iptables -t mangle -A POSTROUTING
-p tcp --tcp-flags SYN,RST SYN -o eth0
-j TCPMSS --set-mss 1420
# iptables -t mangle -A OUTPUT -p TCP --dport 22
-j TOS --set-tos 0x10

26. # iptables -t nat -A POSTROUTING
-o eth0 -s 192.168.1.0/24
-j SNAT --to-source 2.55.4.8-2.55.4.9
192.168.1.10
192.168.1.11
192.168.1.12
192.168.1.13
2.55.4.8
2.55.4.9

27. # iptables -t nat -A POSTROUTING
-o eth0 -s 192.168.1.0/24 -j MASQUERADE
192.168.1.10
192.168.1.11
192.168.1.12
192.168.1.13
2.55.4.9

28. # iptables -t nat -A PREROUTING -d 2.55.4.8 -p tcp --dport 80
-j DNAT --to-destination 192.168.1.10
192.168.1.10
192.168.1.11
192.168.1.12
192.168.1.13
2.55.4.8 :80
2.55.4.9

30. ●
●
○
○
●

31. # iptables -t filter -P INPUT DROP
# iptables -P OUTPUT ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED
-j ACCEPT
# iptables -A INPUT -p tcp --dport 443
-m conntrack --ctstate NEW -j ACCEPT

33. ●
# iptables -A PREROUTING -m addrtype --dst-type MULTICAST -j DROP
# iptables -A PREROUTING -m addrtype ! --dst-type LOCAL
-j MARK --set-mark 2
●
# iptables -A FORWARD -m devgroup --src-group 27 -j ACCEPT
●
# iptables -A FORWARD -m mark --mark 0x3/0x7 -j ACCEPT

34. ●
// match IP packets with total length >= 256
-m u32 --u32 "0 & 0xFFFF = 0x100:0xFFFF"
// TCP payload bytes 8-12 is any of 1, 2, 5 or 8
"6 & 0xFF = 6 && 0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8"
●
-m bpf --bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0'

35. ●
●
●
●
● …

36. ●
●
●
●

37. ●
●
●
● …

38. # iptables -t filter -N NO-PRIVATE
# iptables -A NO-PRIVATE -s 10.0.0.0/8 -j DROP
# iptables -A NO-PRIVATE -s 172.16.0.0/12 -j DROP
# iptables -A NO-PRIVATE -s 192.168.0.0/16 -j DROP
# iptables -A INPUT -i eth0 -j NO-PRIVATE
# iptables -A FORWARD -i eth0 -j NO-PRIVATE

39. // Calls the specified chain,
continue processing in current chain if no match
# iptables -A INPUT ... -j MY-CHAIN
// Continue processing in the specified chain.
return will not continue in current chain,
but in the previous calling chain
# iptables -A INPUT ... -g MY-CHAIN
// Stop traversing, resume at the next rule in the previous
calling chain
# iptables -A MY-CHAIN ... -j RETURN

40. ●
●
●

42. ●
●
●
○
●
●
●
○
○

44. ●
●
●
●
●