LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   PREROUTING and POSTROUTING (https://www.linuxquestions.org/questions/linux-security-4/prerouting-and-postrouting-887333/)

theuser 06-20-2011 10:04 AM

PREROUTING and POSTROUTING
 
Hello people.

I'm learning about IPTables, but I don't fully understand the chains of the NAT table (PREROUTING, POSTROUTING and OUTPUT).
I'm specially in doubt of PREROUTING and POSTROUTING.

As far as a I know:
- DNAT can be made with PREROUTING
- SNAT can be made with POSTROUTING

NAT makes DNAT to change the target of a packet, and makes SNAT to change the source of a packet, so I conclude:
- PREROUTING is for incoming traffic
- POSTROUTING is for outcoming traffic

Is it correct? The previous conclusions seems to be logic in normal conditions, but also they seems to be limitating.

I'm thinking of a silly example to make DNAT for an employeer; when he tries to connect to an adult website, he is redirected to Google.

In the other hand, the command "iptables" says the -o parameter (out interface) can't be used with PREROUTING and the parameter -i (in interface) can't be used with POSTROUTING; this affirms the previous conclusions.

I hope you can help me.

Kind regards and thanks for advance.

win32sux 06-20-2011 02:52 PM

One will see packets before a routing decision is made, and the other after.

Maybe checking out Chapter 6 of Oskar Andreasson's tutorial will help clarify things for you.

theuser 06-20-2011 04:10 PM

Thanks for your reply win32sux.

So i think i got it:
- PREROUTING is for incoming traffic
- POSTROUTING / OUTPUT are for outgoing traffic

But I didn't understand the difference between POSTROUTING and OUTPUT.

Kind regards.

win32sux 06-20-2011 05:32 PM

Quote:

Originally Posted by theuser (Post 4391080)
But I didn't understand the difference between POSTROUTING and OUTPUT.

Look at the drawing in the page I linked.

Notice how all the OUTPUT chains (regardless of table) handle packets from local processes.

theuser 06-20-2011 06:24 PM

Yes, I noticed that.

PREROUTING - DNAT for incoming traffic
OUTPUT - DNAT for outgoing traffic
POSTROUTING - SNAT for outgoing traffic

Is this correct?

Kind regards.

win32sux 06-20-2011 06:45 PM

I think your summary would need to be more specific. For example "outgoing traffic" could refer to both locally and externally generated traffic, and it's important to differentiate. OUTPUT only handles the locally-generated type (before a routing decision). The iptables manual actually includes a good summary near the top:
Quote:

filter:
This is the default table (if no -t option is passed). It
contains the built-in chains INPUT (for packets destined to
local sockets), FORWARD (for packets being routed through
the box), and OUTPUT (for locally-generated packets).

nat:
This table is consulted when a packet that creates a new
connection is encountered. It consists of three built-ins:
PREROUTING (for altering packets as soon as they come in),
OUTPUT (for altering locally-generated packets before rout‐
ing), and POSTROUTING (for altering packets as they are
about to go out).


mangle:
This table is used for specialized packet alteration. Until
kernel 2.4.17 it had two built-in chains: PREROUTING (for
altering incoming packets before routing) and OUTPUT (for
altering locally-generated packets before routing). Since
kernel 2.4.18, three other built-in chains are also sup‐
ported: INPUT (for packets coming into the box itself), FOR‐
WARD (for altering packets being routed through the box),
and POSTROUTING (for altering packets as they are about to
go out).

raw:
This table is used mainly for configuring exemptions from
connection tracking in combination with the NOTRACK target.
It registers at the netfilter hooks with higher priority and
is thus called before ip_conntrack, or any other IP tables.
It provides the following built-in chains: PREROUTING (for
packets arriving via any network interface) OUTPUT (for
packets generated by local processes)

theuser 06-20-2011 07:10 PM

Yes, you are right.

PREROUTING - DNAT for incoming packets
OUTPUT - DNAT for outgoing local packets
POSTROUTING - SNAT for outgoing local/forwarded packets

What do you think?

win32sux 06-20-2011 11:00 PM

Sounds good to me. So, getting back to your adult website redirection to Google scenario: How are you planning to do it? Honestly, I'd recommend using Squid for this rather than iptables. Or wait, were you just using it like an example?

BTW, this might be getting moved to Networking for more adequate exposure.

theuser 06-20-2011 11:48 PM

Great, so I will keep that summary on my mind.

Regarding my scenario, it was just an example, I do not need to implement it on real life, but now I'm curious why you recommend squid rather than iptables.

I created the post here because I saw the word "firewall" in the description, but move it to "networking", no problem about that :).

Kind regards and thanks for the help.

win32sux 06-21-2011 01:17 AM

Quote:

Originally Posted by theuser (Post 4391329)
Regarding my scenario, it was just an example, I do not need to implement it on real life, but now I'm curious why you recommend squid rather than iptables.

Well, I just see it as the right tool for the job. I mean, HTTP is an application layer protocol, so it makes sense to use Squid instead of iptables (which is meant for dealing with network and transport layer stuff) IMHO. Using Squid also eliminates the need for you to keep track of the adult website's IPs. I know there's other advantages too, but they don't come to mind right now as I'm completely exhausted. Actually, one does come to mind: Things like per-user restrictions aren't feasible with iptables on a dedicated gateway, yet they're a snap with Squid by means of ACLs.

Quote:

I created the post here because I saw the word "firewall" in the description, but move it to "networking", no problem about that :).
Yeah it fits here too, no worries. Typically, though, it's going to be the context of the question/discussion that will determine whether it gets moved or not. I guess if we look at it from the point of view that you wanted to do things like keep employees away from dangerous websites, then yeah, it would probably be best to leave it here. Besides, the whole "don't fix it if it ain't broken" thing and all that. Still, let me know if you wish for it to be moved and I'll gladly take care of it for you.

Quote:

Kind regards and thanks for the help.
You're very welcome.

And BTW (in case nobody has said it yet): Welcome to LQ!!! :)

theuser 06-21-2011 11:23 AM

Thanks! ;)

theuser 06-26-2011 02:11 PM

Guys, I have a straight forward question:

1. What is the difference between netfilter and iptables?

Regards.

win32sux 06-26-2011 02:53 PM

Quote:

Originally Posted by theuser (Post 4396287)
Guys, I have a straight forward question:

1. What is the difference between netfilter and iptables?

Regards.

Netfilter is the code in the Linux kernel which allows it to provide packet-filtering functionality. iptables is the userspace tool we use to configure said functionality. The website's front page itself has a better description:
Quote:

netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.
Quote:

iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target).

theuser 06-27-2011 08:07 AM

So is it ok if I define netfilter as the linux kernel module which provides packet filtering functionality and iptables as the tool which make use of that module?

win32sux 06-27-2011 02:03 PM

Quote:

Originally Posted by theuser (Post 4396829)
So is it ok if I define netfilter as the linux kernel module which provides packet filtering functionality

I'm not an expert, but that definition seems like it might be technically incorrect. Like, if you do an lsmod, you won't see any module named netfilter. What you'll see are Netfilter-related modules for connection tracking, NAT, etc. (in other words, part of the framework described). Netfilter itself is, according to their web page, "a set of hooks inside the Linux kernel".


All times are GMT -5. The time now is 02:42 AM.