A Deep Dive into Iptables and Netfilter Architecture

It’s been a while since I had to dive into the iptables and netfilter. These days I mostly have to do some basic configuration here and there, with occasional adjustments or troubleshooting (less and less so, thanks to Amazon AWS). But if drilled on the details, I quickly lose my confidence. In an effort to refresh my memory, I looked around for a blog post or an article that is short and simple, yet deep enough for me to brush some rust of. I found “A Deep Dive into Iptables and Netfilter Architecture” very helpful.

Turns out, the bit I needed the most was this one:

Chain Traversal Order

Assuming that the server knows how to route a packet and that the firewall rules permit its transmission, the following flows represent the paths that will be traversed in different situations:

* Incoming packets destined for the local systemPREROUTING -> INPUT
* Incoming packets destined to another hostPREROUTING -> FORWARD -> POSTROUTING
* Locally generated packetsOUTPUT -> POSTROUTING

Technical documentation is so much easier these days. I remember the old days of manual pages and HOWTO guides, and I think we’ve made a lot of progress.

Things that shouldn’t be online

Slashdot is running a story about a researcher who scanned all Australian IP addresses and found a whole bunch of things that shouldn’t be online.

As interesting as it is, this comment to the thread offers a lot more:

Pffft Only one country?

At a defcon talk in 2014 (talk [youtube.com] slides [defcon.org]) they scanned the whole IPv4 space live, looking for VNC instances. At least, anything that responded to a SYN packet.
Then they took a couple months to connect to each VNC instance, if no password was required, grab a screen shot.
Leading to a series of talks of things that shouldn’t be on the internet [youtube.com].

I am still watching the video, but even in the first few minutes, you’ll see some crazy stuff. And let me get you started with a quick quiz question: if you had 7 servers, each connected to the Internet via a 1 Gb/s link, how long would it take you to scan the whole of Internet (all IP addresses), assuming 10 ports per IP?

Well, five years it took 12 minutes only, and it was done on stage at the conference! To me, this is somewhat mind-blowing. We keep hearing how huge and enormous the Internet is. So the idea of being able to scan all of it in just a few minutes sounds insane. Today, you’ll probably need even less time, with more better broadband and hardware.

And if you are curious about the tool that the guys used, it was massscan. It’s a lot faster than nmap for this kind of jobs, even though they are somewhat compatible.

The Book of Secret Knowledge

The Book of Secret Knowledge” is a collection of awesome lists, manuals, blogs, hacks, one-liners, cli/web tools and more.  It is intended for everyone and anyone – especially for System and Network Administrators, DevOps, Pentesters or Security Researchers.

While you are at it, also have a look at:

croc – simple and secure cross-platform file transfer


croc is a very simple but super useful utility, which helps with occasional file transfers between two computers. When you need to send a few files to a friend on another computer or in another country – this might just be the easiest way.  No need to setup HTTP or FTP servers, Samba or NFS shares, or register at one of the million web services that provide such functionality.

croc is written in Go and is compiled for a variety of operating systems, include Linux, Windows, and macOS.  It even has a simple GUI for those who wants it.