Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm learning about IPTables, but I don't fully understand the chains of the NAT table (PREROUTING, POSTROUTING and OUTPUT).
I'm specially in doubt of PREROUTING and POSTROUTING.
As far as a I know:
- DNAT can be made with PREROUTING
- SNAT can be made with POSTROUTING
NAT makes DNAT to change the target of a packet, and makes SNAT to change the source of a packet, so I conclude:
- PREROUTING is for incoming traffic
- POSTROUTING is for outcoming traffic
Is it correct? The previous conclusions seems to be logic in normal conditions, but also they seems to be limitating.
I'm thinking of a silly example to make DNAT for an employeer; when he tries to connect to an adult website, he is redirected to Google.
In the other hand, the command "iptables" says the -o parameter (out interface) can't be used with PREROUTING and the parameter -i (in interface) can't be used with POSTROUTING; this affirms the previous conclusions.
I hope you can help me.
Kind regards and thanks for advance.
Click here to see the post LQ members have rated as the most helpful post in this thread.
I think your summary would need to be more specific. For example "outgoing traffic" could refer to both locally and externally generated traffic, and it's important to differentiate. OUTPUT only handles the locally-generated type (before a routing decision). The iptables manual actually includes a good summary near the top:
Quote:
filter:
This is the default table (if no -t option is passed). It
contains the built-in chains INPUT (for packets destined to
local sockets), FORWARD (for packets being routed through
the box), and OUTPUT (for locally-generated packets).
nat:
This table is consulted when a packet that creates a new
connection is encountered. It consists of three built-ins:
PREROUTING (for altering packets as soon as they come in),
OUTPUT (for altering locally-generated packets before rout‐
ing), and POSTROUTING (for altering packets as they are
about to go out).
mangle:
This table is used for specialized packet alteration. Until
kernel 2.4.17 it had two built-in chains: PREROUTING (for
altering incoming packets before routing) and OUTPUT (for
altering locally-generated packets before routing). Since
kernel 2.4.18, three other built-in chains are also sup‐
ported: INPUT (for packets coming into the box itself), FOR‐
WARD (for altering packets being routed through the box),
and POSTROUTING (for altering packets as they are about to
go out).
raw:
This table is used mainly for configuring exemptions from
connection tracking in combination with the NOTRACK target.
It registers at the netfilter hooks with higher priority and
is thus called before ip_conntrack, or any other IP tables.
It provides the following built-in chains: PREROUTING (for
packets arriving via any network interface) OUTPUT (for
packets generated by local processes)
Sounds good to me. So, getting back to your adult website redirection to Google scenario: How are you planning to do it? Honestly, I'd recommend using Squid for this rather than iptables. Or wait, were you just using it like an example?
BTW, this might be getting moved to Networking for more adequate exposure.
Regarding my scenario, it was just an example, I do not need to implement it on real life, but now I'm curious why you recommend squid rather than iptables.
I created the post here because I saw the word "firewall" in the description, but move it to "networking", no problem about that .
Regarding my scenario, it was just an example, I do not need to implement it on real life, but now I'm curious why you recommend squid rather than iptables.
Well, I just see it as the right tool for the job. I mean, HTTP is an application layer protocol, so it makes sense to use Squid instead of iptables (which is meant for dealing with network and transport layer stuff) IMHO. Using Squid also eliminates the need for you to keep track of the adult website's IPs. I know there's other advantages too, but they don't come to mind right now as I'm completely exhausted. Actually, one does come to mind: Things like per-user restrictions aren't feasible with iptables on a dedicated gateway, yet they're a snap with Squid by means of ACLs.
Quote:
I created the post here because I saw the word "firewall" in the description, but move it to "networking", no problem about that .
Yeah it fits here too, no worries. Typically, though, it's going to be the context of the question/discussion that will determine whether it gets moved or not. I guess if we look at it from the point of view that you wanted to do things like keep employees away from dangerous websites, then yeah, it would probably be best to leave it here. Besides, the whole "don't fix it if it ain't broken" thing and all that. Still, let me know if you wish for it to be moved and I'll gladly take care of it for you.
Quote:
Kind regards and thanks for the help.
You're very welcome.
And BTW (in case nobody has said it yet): Welcome to LQ!!!
1. What is the difference between netfilter and iptables?
Regards.
Netfilter is the code in the Linux kernel which allows it to provide packet-filtering functionality. iptables is the userspace tool we use to configure said functionality. The website's front page itself has a better description:
Quote:
netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.
Quote:
iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target).
So is it ok if I define netfilter as the linux kernel module which provides packet filtering functionality and iptables as the tool which make use of that module?
So is it ok if I define netfilter as the linux kernel module which provides packet filtering functionality
I'm not an expert, but that definition seems like it might be technically incorrect. Like, if you do an lsmod, you won't see any module named netfilter. What you'll see are Netfilter-related modules for connection tracking, NAT, etc. (in other words, part of the framework described). Netfilter itself is, according to their web page, "a set of hooks inside the Linux kernel".
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.