Thursday, May 3, 2007

IPTables Firewall Map

Filter vs. Nat? (Chicken vs. Egg, movie at 11...)

A few years ago I had to setup a couple relatively complex firewalls (under Linux), and in the process managed to find some documentation on the order in which a packet traverses each table and it's rules.

Sounds pretty basic, however nothing in the documentation or man pages for iptables itself explains how the tables relate to one another; for example, a packet arriving at a machine which is destined for another machine will go through the FORWARD chain of both the filter and nat tables, but which table's FORWARD chain will be examined first? A fairly significant question, since each chain can and likely will have vastly different rules which may affect the packet, and the order these rules are applied in will likely also affect the outcome in most cases...

Perl to the rescue!

And so, I created iptables-map.

Like most of us who have worn a sysadmin hat at one point or another, Perl often ends up as my Swiss Army Knife of choice. Something else may have been faster/simpler/more elegant/whatever, but I suppose at the time I must have been doing a lot of work in Perl and so it was a natural first choice... plus it's always awesome for anything where heavy string manipulation and/or regular expressions are involved, and so when I was starting it I probably would have assumed that there would be more of that kind of thing involved, although it ended up pretty basic...

A Sample of the Sweetness

SENT Packets
mangle::OUTPUT >>> ACCEPT
filter::OUTPUT >>> DROP
-A OUTPUT -o lo >>> ACCEPT
-A OUTPUT -s -d -o eth0 -p tcp -m tcp --dport 22 >>> ACCEPT
-A OUTPUT -s -d -o eth0 -p tcp -m tcp --dport 22 >>> ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 >>> DROP
-A OUTPUT -s -o eth0 >>> ACCEPT

This is a snippet of an imaginary firewall which is restricting outgoing ssh connections. We're looking at the portion of the iptables-map output which is displaying the firewall path for packets originating from the local host ("SENT Packets"). The order in which the tables are listed (along with their default targets) is the order in which a packet will traverse them: OUTPUT chain of the mangle table first, then of the nat table, then of the filter table, then the POSTROUTING chain of the mangle table, and lastly the POSTROUTING chain of the nat table.

Pretty obvious in this output, however not at all obvious nor intuitive when all you have to work with are man pages and packaged iptables documentation.

The rest of the output is clearly showing you the specifics for each rule in each chain, and is naturally listing these rules in the order in which they're traversed/examined.

The Laundry List

In resurrecting this script for SourceForge, I've noticed that there's a new table ('raw') which is now part of a default iptables install, and ip6tables is also ready for prime time. I'll be adding support for both of these in the very near future. As an aside, if you'd like to request a version of this script in a different language, ie: as a bash or awk script or perhaps even C source for a binary, please email me and let me know!