mangle tables.

mangle tables.

[Anders Fugmann]

Hi all

I'm lookin at the new mangles tables as of 2.4.18, and fail to
understand excatly packets traverse these chains.

the manpage says:
      Since kernel 2.4.18, three other built-in chains are  also
      supported  :  INPUT  (for  packets  coming  into the box itself),
      FORWARD (for altering packets being routed through the box), and
      POSTROUTING (for altering packets as they are about to go out).

Am I correct in the following:
Packets going through the firewall (forwarded):
PREROUTING,....,FORWARD,....,POSTROUTING.

Packets originating from the firewall itself:
	OUTPUT,...,POSTROUTING.

Packets destined for the firewall itself:
	PREROUTING,...,INPUT.

Next, is the above is correct, when does packets hit the chains,
e.g. what chains are traversed between PREROUTING and FORWARD and 
POSTROUTING, in the forwarding example?

Thanks in advance
Anders Fugmann

-- 
Author of FIAIF
FIAIF Is An Intelligent/Iptables Firewall
http://fiaif.fugmann.dhs.org

Re: mangle tables.

[Antony Stone]

On Tuesday 10 September 2002 7:49 am, Anders Fugmann wrote:

> Hi all
>
> I'm lookin at the new mangles tables as of 2.4.18, and fail to
> understand excatly packets traverse these chains.
>
> the manpage says:
>       Since kernel 2.4.18, three other built-in chains are  also
>       supported  :  INPUT  (for  packets  coming  into the box itself),
>       FORWARD (for altering packets being routed through the box), and
>       POSTROUTING (for altering packets as they are about to go out).
>
> Am I correct in the following:
> Packets going through the firewall (forwarded):
> PREROUTING,....,FORWARD,....,POSTROUTING.
>
> Packets originating from the firewall itself:
> 	OUTPUT,...,POSTROUTING.
>
> Packets destined for the firewall itself:
> 	PREROUTING,...,INPUT.

Yes, you are correct in all of those.

> Next, if the above is correct, when does packets hit the chains,
> e.g. what chains are traversed between PREROUTING and FORWARD and
> POSTROUTING, in the forwarding example?

I don't know the answer to this for the latest version of netfilter, however 
it is very easy to find out for yourself, for the specific version you are 
running (which is usually the important thing).

Simply set up a series of LOGging rules in the different chains & tables, 
send some packets through the system, and the log file will tell you what 
order the packets went through the different parts of netfilter.

Try this:

for chain in INPUT OUTPUT FORWARD PREROUTING POSTROUTING
do
  for table in filter mangle nat
  do
    iptables -I $chain -t $table -j LOG --log-prefix="$chain $table "
  done
done

Ignore the few errors you get from invaliv combinations of chains & tables.

You might want to add a --log-level option as well depending on your setup.

Hope this helps,

Antony.

-- 

Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics

Re: mangle tables.

[Anders Fugmann]

Hi Antony

Many thanks for your reply.
I see that I understand most of it.

Antony Stone wrote:
> On Tuesday 10 September 2002 7:49 am, Anders Fugmann wrote:
> 
>>Next, if the above is correct, when does packets hit the chains,
>>e.g. what chains are traversed between PREROUTING and FORWARD and
>>POSTROUTING, in the forwarding example?
> 
> 
> I don't know the answer to this for the latest version of netfilter, however 
> it is very easy to find out for yourself, for the specific version you are 
> running (which is usually the important thing).
Is this true - can someone please confirm this. It seems strange that 
only the order of chain traversal is specified within a table, but not 
across tables (If I understand you correctly, Antony).
This means, for example, that the mark cannot be used to to mark packets 
for later processing. (Mark in mangle and match in filter).

> 
> Simply set up a series of LOGging rules in the different chains & tables, 
> send some packets through the system, and the log file will tell you what 
> order the packets went through the different parts of netfilter.
> 
> Try this:
> 
> for chain in INPUT OUTPUT FORWARD PREROUTING POSTROUTING
> do
>   for table in filter mangle nat
>   do
>     iptables -I $chain -t $table -j LOG --log-prefix="$chain $table "
>   done
> done
Yes, but I was hoping to avoid it :-)

-- 
Neo: 'Can you fly that thing?'
Trinity: 'Not yet'.
$ apt-get install pilot-prg-v212helicopter.

Re: mangle tables.

[Antony Stone]

On Tuesday 10 September 2002 11:05 am, Anders Fugmann wrote:

> Antony Stone wrote:
> > On Tuesday 10 September 2002 7:49 am, Anders Fugmann wrote:
> >>Next, if the above is correct, when does packets hit the chains,
> >>e.g. what chains are traversed between PREROUTING and FORWARD and
> >>POSTROUTING, in the forwarding example?
> >
> > I don't know the answer to this for the latest version of netfilter,
> > however it is very easy to find out for yourself, for the specific
> > version you are running (which is usually the important thing).
>
> Is this true - can someone please confirm this. It seems strange that
> only the order of chain traversal is specified within a table, but not
> across tables (If I understand you correctly, Antony).
> This means, for example, that the mark cannot be used to to mark packets
> for later processing. (Mark in mangle and match in filter).

No, that's not what I meant, and you can indeed use MARK in the way you 
suggest.

The order of traversing both tables and chains is completely defined in 
netfilter, and unless you seriously start fiddling around with the source 
code you cannot change it.

However, I suggested that you should check the order for your particular 
version of netfilter for two reasons:

1. More recent versions have added more hooks (specifically to the mangle 
table, which is now available in all five chains; previous it was only 
available in PRE- and POSTROUTING), so you will find out all the chain / 
table combinations you have.

2. I believe about six months ago there was a rearrangement between nat and 
mangle (?) so that they got processed in the opposite order.   Again, you 
would want to know for your own version, not for some older or newer version 
which you aren't running...

> > Simply set up a series of LOGging rules in the different chains & tables,
> > send some packets through the system, and the log file will tell you what
> > order the packets went through the different parts of netfilter.
> >
> > Try this:
> >
> > for chain in INPUT OUTPUT FORWARD PREROUTING POSTROUTING
> > do
> >   for table in filter mangle nat
> >   do
> >     iptables -I $chain -t $table -j LOG --log-prefix="$chain $table "
> >   done
> > done
>
> Yes, but I was hoping to avoid it :-)

Why ?

Antony.

-- 

It is also possible that putting the birds in a laboratory setting
inadvertently renders them relatively incompetent.

 - Daniel C Dennett

RE: mangle tables.

[Stewart Thompson]

HI:

	Have a look at the traversal diagram in Section 3 of
Oskar Andreasson's Tutorial. It explains it quite well. All incoming
Packets pass through the Prerouting Chain which consists of the Nat
And Mangle tables. The it will either pass through the Forward or Input
Chain depending on the rules it encounters.
		If a Packet is destined for the Firewall Machine, it will
pass through the Input Chain. The input chain has a filter table. If it is
destined for the forward chain, it will also go through the Postrouting
Chain. The forward chain has a filter table.
	All outgoing packets go through the Postrouting Chain. Which
also consists of a Nat table. It will either come from the Forward Chain,
or the Output Chain. The Output Chain has a filter table.
Whether we are talking about an Input or Output depends on the
Individual packet. For example a Packet coming in from  the Internet on
Eth0 bound for an internal machine connected to Eth1. It would pass
through the Prerouting Chain, then the Forward Chain, then trough the
post routing table for Eth1. The return path would be automatic, if your
have
your Nat rules set up properly. Automagically as they say on the list.
However,
I believe it would still have to satisfy the required rules.  Have a look at
Oscar's
description I am sure it is more clear than mine, since he has pictures as
well.
Hope that helps.

Stu..........


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Anders Fugmann
Sent: September 10, 2002 3:06 AM
To: Antony Stone
Cc: netfilter@lists.samba.org
Subject: Re: mangle tables.
HI
Hi Antony

Many thanks for your reply.
I see that I understand most of it.

Antony Stone wrote:
> On Tuesday 10 September 2002 7:49 am, Anders Fugmann wrote:
>
>>Next, if the above is correct, when does packets hit the chains,
>>e.g. what chains are traversed between PREROUTING and FORWARD and
>>POSTROUTING, in the forwarding example?
>
>
> I don't know the answer to this for the latest version of netfilter,
however
> it is very easy to find out for yourself, for the specific version you are
> running (which is usually the important thing).
Is this true - can someone please confirm this. It seems strange that
only the order of chain traversal is specified within a table, but not
across tables (If I understand you correctly, Antony).
This means, for example, that the mark cannot be used to to mark packets
for later processing. (Mark in mangle and match in filter).

>
> Simply set up a series of LOGging rules in the different chains & tables,
> send some packets through the system, and the log file will tell you what
> order the packets went through the different parts of netfilter.
>
> Try this:
>
> for chain in INPUT OUTPUT FORWARD PREROUTING POSTROUTING
> do
>   for table in filter mangle nat
>   do
>     iptables -I $chain -t $table -j LOG --log-prefix="$chain $table "
>   done
> done
Yes, but I was hoping to avoid it :-)

--
Neo: 'Can you fly that thing?'
Trinity: 'Not yet'.
$ apt-get install pilot-prg-v212helicopter.

Re: mangle tables.

[Antony Stone]

On Tuesday 10 September 2002 11:41 am, Stewart Thompson wrote:

> HI:
>
> 	Have a look at the traversal diagram in Section 3 of
> Oskar Andreasson's Tutorial. It explains it quite well.

Yes, indeed it does.   However, it might not be quite correct for the version 
of netfilter you are running - there have been a couple of subtle changes 
between recent versions of netfilter.

Therefore I agree and thoroughly recommend Oskar's tutorial for getting an 
understanding of how netfilter works in principle, however if the question of 
what order the chains & tables are traversed is really important to you for 
some reason, I still recommend testing it on your own machine so that you 
know exactly what your system does.

Antony.

-- 

Normal people think "if it ain't broke, don't fix it".
Engineers think "if it ain't broke, it doesn't have enough features yet".

Re: mangle tables.

[Anders Fugmann]

Thanks.

This makes alot of sence.
To sum up, tables are traversed in the following mannor:

             [Packet enters the machine]
                          |
                    mangle-prerouting
                    /              \
   <To the machine itself>  <To be forwarded> [Locally gen. packet]
                   |                |                 |
             mangle-input     mangle-forward    mangel-output
                   |                |                 |
             filter-input     filter-forward    filter-output
                   |                \                 /
       [next level of the OSI]       mangle-postrouting					                                    |
                                 [packet leaves the machine]

Legend:
[]: Event.
<>: Case (if).
| : Connector.

(mangle tables intentionally left out)
So there is no doubt that mangle-forward is traversed _before_ 
filter-forward.

Thanks again for clarifying.

Regards
Anders Fugmann

RE: mangle tables.

[Stewart Thompson]

Hi Anders:

	Not a bad diagram for ASCII. :) I am going to have to
save that one. Antony's advice is always sound. There may be
some differences in the latest releases, but I think it will be more
to do with the tables available, and what you can do with them.
I think the traversal order would be the same. I believe there have
been new tables added that aren't in say the 1.24 version I am
running. (Jump in if you have any different info Antony)
	As Antony suggested, a bunch of Logging Rules in all the
Tables and checking the /var/log/messages (on Redhat anyway)
would show the order it went through the tables. Alternately, you
could look at the source code, or talk to someone who is familiar
with it. Which isn't me, and maybe not Antony. Most of us don't
need to get down to that level.  As a general rule I have done fine
using RPM installs. It sounds like you are going to be digging
into things a lot more. Good luck and let us know how you make
out.

Regards,

Stu......



-----Original Message-----
From: Anders Fugmann [mailto:afu@fugmann.dhs.org]
Sent: September 10, 2002 6:04 AM
To: stewart.thompson@shaw.ca
Cc: Antony Stone; netfilter@lists.samba.org
Subject: Re: mangle tables.

Thanks.

This makes alot of sence.
To sum up, tables are traversed in the following mannor:

             [Packet enters the machine]
                          |
                    mangle-prerouting
                    /              \
   <To the machine itself>  <To be forwarded> [Locally gen. packet]
                   |                |                 |
             mangle-input     mangle-forward    mangel-output
                   |                |                 |
             filter-input     filter-forward    filter-output
                   |                \                 /
       [next level of the OSI]       mangle-postrouting
|
                                 [packet leaves the machine]

Legend:
[]: Event.
<>: Case (if).
| : Connector.

(mangle tables intentionally left out)
So there is no doubt that mangle-forward is traversed _before_
filter-forward.

Thanks again for clarifying.

Regards
Anders Fugmann

Re: mangle tables.

[Anders Fugmann]

Stewart Thompson wrote:
> would show the order it went through the tables. Alternately, you
> could look at the source code, or talk to someone who is familiar
Ok. I finally took a look at the code. (Quite easy to read actually)

There are 5 builtin chains:
prerouting, input, forward, output and postrouting.
and four tables: conn_track, mangle, nat and filter.

These are traversed in the following order:
(read left to right)
prerouting: 
conntrack, mangle, nat
input: 
	mangle, filter, nat, conntrack
forward: 	mangle, filter
output: 
	conntrack, mangle, nat, filter
postrouting: 
mangle, nat, conntrack

Of course, forwarded packets traverse: prerouting,forward,postrouting.
locally generated packets traverse: output,postrouting
packets for the machine itself: prerouting, input.

If you want to doublecheck, then look at lines:
041-060: netfilter_ipv4.h
223-233: ip_conntrack_standalone.c
205-217: ip_nat_standalone.c
170-181: iptable_mangle.c
117-122: iptable_filter.c

All taken from kernel 2.4.19

The sequence is defined through constants, and I do not think that these
has not changed from 2.4.18. I have not looked at other versions.


Regards
Anders Fugmann