pastenow
pastenow

The Linux Security Journey — iptables: Chains

<p>In general &ldquo;iptables&rdquo; is an administration tool used IPv4/6 packet filtering and NAT (<a href="https://linux.die.net/man/8/iptables" rel="noopener ugc nofollow" target="_blank">https://linux.die.net/man/8/iptables</a>). &ldquo;iptables&rdquo; uses a series of rules that are organized into chains, in order to handle network traffic. Overall there are 5 built-in chains: PREROUTING, INPUT, FORWARD, OUTPUT and POSTROUTING. Those chains are based on the NetFilter&rsquo;s hooks callbacks (<a href="https://medium.com/@boutnaru/the-linux-security-journey-netfilter-90c6cf12ca40" rel="noopener">https://medium.com/@boutnaru/the-linux-security-journey-netfilter-90c6cf12ca40</a>). We can also see that in the source code both for IPv4 (<a href="https://elixir.bootlin.com/linux/v6.5.5/source/net/ipv4/netfilter/ip_tables.c#L124" rel="noopener ugc nofollow" target="_blank">https://elixir.bootlin.com/linux/v6.5.5/source/net/ipv4/netfilter/ip_tables.c#L124</a>) and IPv6 (<a href="https://elixir.bootlin.com/linux/v6.5.5/source/net/ipv6/netfilter/ip6_tables.c#L149" rel="noopener ugc nofollow" target="_blank">https://elixir.bootlin.com/linux/v6.5.5/source/net/ipv6/netfilter/ip6_tables.c#L149</a>).</p> <p>Moreover, we can also create user defined chains using the following command &ldquo;sudo iptables -N CHAIN_NAME&rdquo;. After we created the chain we can add new rules (more on rules in a future writeup) for it by specifying the chain name with the &ldquo;-A&rdquo; switch in &ldquo;iptables&rdquo; &mdash; as shown in the screenshot below. In order to move to another chain we need to use a &ldquo;Jump Target&rdquo; , which causes the evaluation to be done on a different chain for additional processing (<a href="https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture#jumping-to-user-defined-chains" rel="noopener ugc nofollow" target="_blank">https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture#jumping-to-user-defined-chains</a>). More on the different targets which are available in a future writeup.</p> <p><a href="https://medium.com/@boutnaru/the-linux-security-journey-iptables-chains-5b31d1eb6b53"><strong>Learn More</strong></a></p>
Tags: Linux Security