Technology
Computer Science
Networking
Software Engineering
Linux
Containerization
Firewall
Kubernetes
Service Discovery
Service Mesh
iptables - a userspace program to configure IP packets filtration and modification rules.
It's a dated but still widely used tool:
- Linux firewall
- Container egress (SNAT) and port publishing (DNAT)
- Kubernetes service discovery
- Service Mesh transparent injection
- etc. 🔽
It's a dated but still widely used tool:
- Linux firewall
- Container egress (SNAT) and port publishing (DNAT)
- Kubernetes service discovery
- Service Mesh transparent injection
- etc. 🔽
iptables comes with its own terminology:
- tables
- chains
- rules
- targets
- policies
...that might be challenging to grasp. Here is how I approach it.
1. Come up with a logical model of packet processing inside the Linux kernel. Give meaningful names to stages.
- tables
- chains
- rules
- targets
- policies
...that might be challenging to grasp. Here is how I approach it.
1. Come up with a logical model of packet processing inside the Linux kernel. Give meaningful names to stages.
2. Understand possible packet paths through the kernel.
Packet from a local process:
OUTPUT -> POSTROUTE
Packet to a local process:
PREROUTE -> INPUT
Packet forwarded between interfaces:
PREROUTE -> FORWARD -> POSTROUTE
Packet from a local process:
OUTPUT -> POSTROUTE
Packet to a local process:
PREROUTE -> INPUT
Packet forwarded between interfaces:
PREROUTE -> FORWARD -> POSTROUTE
3. Memo - iptables are about tables of chains of rules.
Most common tables:
raw -> mangle -> nat -> filter
Chains are called after the predefined stages:
INPUT, OUTPUT, FORWARD, etc.
Rules are about packet criteria and targets - other chains or actions like DROP, ACCEPT, etc.
Most common tables:
raw -> mangle -> nat -> filter
Chains are called after the predefined stages:
INPUT, OUTPUT, FORWARD, etc.
Rules are about packet criteria and targets - other chains or actions like DROP, ACCEPT, etc.
4. Last but not least - precedence always matters!
Writing iptables programs is like programming on jumps.
The packet path is known, the table precedence is known, the rule precedence is defined by your program.
Have fun!
Writing iptables programs is like programming on jumps.
The packet path is known, the table precedence is known, the rule precedence is defined by your program.
Have fun!
An illustrated introduction to Linux iptables, written in simple terms!
iximiuz.com
iximiuz.com
Loading suggestions...