{"id":35815,"date":"2019-02-23T09:58:53","date_gmt":"2019-02-23T07:58:53","guid":{"rendered":"https:\/\/mamchenkov.net\/wordpress\/?p=35815"},"modified":"2019-02-23T14:51:39","modified_gmt":"2019-02-23T12:51:39","slug":"a-deep-dive-into-iptables-and-netfilter-architecture","status":"publish","type":"post","link":"https:\/\/mamchenkov.net\/wordpress\/2019\/02\/23\/a-deep-dive-into-iptables-and-netfilter-architecture\/","title":{"rendered":"A Deep Dive into Iptables and Netfilter Architecture"},"content":{"rendered":"\n\n

It’s been a while since I had to dive into the iptables and netfilter. These days I mostly have to do some basic configuration here and there, with occasional adjustments or troubleshooting (less and less so, thanks to Amazon AWS). But if drilled on the details, I quickly lose my confidence. In an effort to refresh my memory, I looked around for a blog post or an article that is short and simple, yet deep enough for me to brush some rust of. I found “A Deep Dive into Iptables and Netfilter Architecture<\/a>” very helpful.<\/p>\n\n\n\n

Turns out, the bit I needed the most was this one:<\/p>\n\n\n\n

Chain Traversal Order<\/strong>
<\/p>

Assuming that the server knows how to route a packet and that the firewall rules permit its transmission, the following flows represent the paths that will be traversed in different situations:<\/p>

* Incoming packets destined for the local system<\/strong>: PREROUTING<\/code> -> INPUT<\/code>
* Incoming packets destined to another host<\/strong>: PREROUTING<\/code> -> FORWARD<\/code> -> POSTROUTING<\/code>
* Locally generated packets<\/strong>: OUTPUT<\/code> -> POSTROUTING<\/code><\/p><\/blockquote>\n\n\n\n

Technical documentation is so much easier these days. I remember the old days of manual pages and HOWTO guides, and I think we’ve made a lot of progress.<\/p>\n\n","protected":false},"excerpt":{"rendered":"\n

It’s been a while since I had to dive into the iptables and netfilter. These days I mostly have to do some basic configuration here and there, with occasional adjustments or troubleshooting (less and less so, thanks to Amazon AWS). But if drilled on the details, I quickly lose my confidence. In an effort to … Continue reading A Deep Dive into Iptables and Netfilter Architecture<\/span><\/a><\/p>\n\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"A Deep Dive into Iptables and Netfilter Architecture #security #Linux #hosting","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_links_to":"","_links_to_target":""},"categories":[1,6,133,62],"tags":[1960,281,200,2289],"keyring_services":[],"class_list":["post-35815","post","type-post","status-publish","format-standard","hentry","category-general","category-linux","category-sysadmin","category-technology","tag-command-line","tag-networks","tag-security","tag-web-hosting"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":17884,"url":"https:\/\/mamchenkov.net\/wordpress\/2013\/03\/14\/ssh-dynamic-black-list\/","url_meta":{"origin":35815,"position":0},"title":"SSH dynamic black list","author":"Leonid Mamchenkov","date":"March 14, 2013","format":false,"excerpt":"Slashdot runs the post on how bots are now trying higher ports for SSH password guessing. \u00a0This is not a problem for those who do key-based authentication, but for those who have to have password authentication enabled, there is plenty of good advice in the comments to the post. \u00a0One\u2026","rel":"","context":"In "All"","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":28156,"url":"https:\/\/mamchenkov.net\/wordpress\/2017\/10\/31\/firewalld-configuration-and-usage\/","url_meta":{"origin":35815,"position":1},"title":"Firewalld configuration and usage","author":"Leonid Mamchenkov","date":"October 31, 2017","format":false,"excerpt":"If you are a Linux old-timer, who is used to iptables (or even ipchains, or even ... anyway), you might find \"Firewalld configuration and usage\" guide very handy.\u00a0 It covers firewalld concepts and provides a number of examples for zones, ports, services, interfaces and other bits and pieces that you\u2026","rel":"","context":"In "All"","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":27501,"url":"https:\/\/mamchenkov.net\/wordpress\/2017\/04\/09\/network-traffic-control-qos\/","url_meta":{"origin":35815,"position":2},"title":"Network Traffic Control (QOS)","author":"Leonid Mamchenkov","date":"April 9, 2017","format":false,"excerpt":"OpenWrt, which is a Linux distribution for embedded devices, website has a really handy HowTo on Network Traffic Control (QOS). Traffic Control is the umbrella term for packet prioritizing, traffic shaping, bandwidth limiting, AQM (Active Queue Management), QoS (Quality of Service), etc. This HowTo will help you understand and set\u2026","rel":"","context":"In "All"","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":26308,"url":"https:\/\/mamchenkov.net\/wordpress\/2016\/08\/04\/setting-up-nat-on-amazon-aws\/","url_meta":{"origin":35815,"position":3},"title":"Setting up NAT on Amazon AWS","author":"Leonid Mamchenkov","date":"August 4, 2016","format":false,"excerpt":"When it comes to Amazon AWS, there are a few options for configuring Network Address Translation (NAT). \u00a0Here is a brief overview. NAT Gateway NAT Gateway is a configuration very similar to Internet Gateway. \u00a0My understanding is that the only major difference between the NAT Gateway and the Internet Gateway\u2026","rel":"","context":"In "All"","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":46046,"url":"https:\/\/mamchenkov.net\/wordpress\/2020\/01\/30\/dive-docker-image-explorer\/","url_meta":{"origin":35815,"position":4},"title":"dive – Docker image explorer","author":"Leonid Mamchenkov","date":"January 30, 2020","format":false,"excerpt":"dive is a Docker image explorer. This is a very handy tool when you are trying to figure out how a Docker image was built and what's in it, and you don't have the original Dockerfile. It uses the meta information for each layer to show you which command was\u2026","rel":"","context":"In "All"","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2020\/01\/dive.gif?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2020\/01\/dive.gif?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2020\/01\/dive.gif?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2020\/01\/dive.gif?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2020\/01\/dive.gif?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2020\/01\/dive.gif?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":8043,"url":"https:\/\/mamchenkov.net\/wordpress\/2004\/10\/12\/dive-into-python\/","url_meta":{"origin":35815,"position":5},"title":"Dive into Python","author":"Leonid Mamchenkov","date":"October 12, 2004","format":false,"excerpt":"Once in a while I need to write a couple of lines in Python. When that happens I histerically run around the web looking for some quick introduction or tutorial on the language. There are plenty of those, of course. But just to have something handy, I'll put a link\u2026","rel":"","context":"In "All"","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/posts\/35815","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/comments?post=35815"}],"version-history":[{"count":0,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/posts\/35815\/revisions"}],"wp:attachment":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/media?parent=35815"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/categories?post=35815"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/tags?post=35815"},{"taxonomy":"keyring_services","embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/keyring_services?post=35815"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}