This article describes the packet filtering tools available on Linux. The environment is explained using CentOS 7 as an example.
ebtables ebtables is a tool for setting rules for Ethernet frames. Like iptables, ebtables uses "tables", "chains", and "targets" to set rules.
| table | Overview | Available chains |
|---|---|---|
| filter | Ethernet frame filtering | INPUT、OUTPUT、FORWARD |
| nat | Change MAC address | PREROUTING、OUTPUT、POSTROUTING |
| broute | Bridge and router functions | BROUTING |
--Adding a rule
# ebtables -t broute -A BROUTING -p IPv6 -j ACCEPT
--Show chain of broute table
# ebtables -t broute -L
Bridge table: broute
Bridge chain: BROUTING, entries: 2, policy: ACCEPT
-j BROUTING_direct
-p IPv6 -j ACCEPT
Bridge chain: BROUTING_direct, entries: 1, policy: ACCEPT
-j RETURN
--Display chain of broute table (also display packet byte count)
# ebtables -t broute -L --Lc
Bridge table: broute
Bridge chain: BROUTING, entries: 2, policy: ACCEPT
-j BROUTING_direct, pcnt = 0 -- bcnt = 0
-p IPv6 -j ACCEPT , pcnt = 0 -- bcnt = 0
Bridge chain: BROUTING_direct, entries: 1, policy: ACCEPT
-j RETURN , pcnt = 0 -- bcnt = 0
iptables Linux packet filtering is done by Netfilter in the Linux kernel.
Firewalld is used in Centos7 or later, but iptables is called in Firewalld and settings are made to operate Netfilter. This article describes iptables.
iptables is a tool for setting packet filter rules in the Linux kernel. For IPv6, use ip6tables.
iptables uses "tables", "chains", and "targets" to set rules.
| table | Overview | Available chains |
|---|---|---|
| filter | Packet filtering | INPUT、OUTPUT、FORWARD |
| nat | Packet conversion | PREROUTING、OUTPUT、POSTROUTING |
| mangle(※) | IP header rewriting | PREROUTING、INPUT、OUTPUT、FORWARD、POSTROUTING |
(*) From kernel 2.4.18, three built-in chains of INPUT, FORWARD, and POSTROUTING are supported.
Firewalld is the default in CentOS7, so if you want to use iptables as a service, you need to install iptables-services. In addition, firewalld and iptables cannot coexist.
--Install iptables-services
# yum -y install iptables-services
--Settings to allow access to 80 from the outside
# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
--Setting to discard access from a specific network
# iptables -A INPUT -s 10.0.0.0/8 -j DROP
--Setting to allow access to 22 from a specific IP address
# iptables -A INPUT -s 192.168.0.2 -p tcp --dport 22 -j ACCEPT
--Setting to masquerade internal traffic to the outside
# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o enp0s8 -j MASQUERADE
--Setting to masquerade access to the network from the outside to a specific address
# iptables -t nat -A PREROUTING -d 192.168.0/24 -i enp0s8 -j DNAT --to 192.168.10.2
The rules set in iptables will be lost when the OS is restarted. To save the iptables settings to a file, use the ʻiptables-save` command.
--Iptables backup
# iptables-save > iptables.backup
--Restore iptables
# iptables-restore < iptables.backup
Filtering can be started automatically by starting the iptables service and the script that describes the iptables rules when the server is started.
ipset ipset is a tool for managing IP addresses as a group.
--Creating a set
# ipset create mynetwork hash:net
--Network registration
# ipset add mynetwork 10.0.0.0/24
--Confirmation of registration details
# ipset list mynetwork
Name: mynetwork
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 440
References: 0
Number of entries: 1
Members:
10.0.0.0/24
--Addition to iptables
# iptables -I INPUT -m set --match-set mynetwork src -j ACCEPT
--Check iptables
# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere match-set mynetwork src
The rules set by ipset will be lost when the OS is restarted. Therefore, if you want to make a permanent setting, you need to execute the following command to output the rule and make it a service.
--Save rules
# ipset save > /etc/ipset.conf
If you want to delete the ipset rule, you can delete it by stopping the firewall service and executing the following command.
--Stop firewall
# systemctl stop firewalld
--Delete rule
# ipset destroy
--Check the rules
# ipset list
The list can be executed with the following command.
--Restore ipset
# ipset restore < /etc/ipset.conf
(*) For the file to be read by input, specify the file output by the ʻipset save` command.
nft nft is a packet filtering function that replaces iptables added after kernel 3.13. For CentOS, you can install it with the following command.
--installing nft
# yum install -y nftables
Performance is improved compared to iptables. Unlike iptables, it does not have tables or chains by default, so you need to create it yourself.
When using nft, set according to the following procedure.
--Create table
# nft add table ip mynetwork
--Creating a chain
# nft add chain ip mynetwork localchain { type filter hook input priority 0 \; }
--Create rules
# nft add rule ip mynetwork localchain tcp dport 22 accept
--Check the rules
# nft list ruleset
table ip TESTTABLE {
chain testchain {
type filter hook input priority 0; policy accept;
tcp dport ssh accept
}
}
table ip mynetwork {
chain localchain {
type filter hook input priority 0; policy accept;
tcp dport ssh accept
}
}
Now that the cloud is pervasive, there are fewer opportunities to use Linux packet filtering, but it's a necessary knowledge for system administrators.