334.3 Packet Filtering
Key Knowledge Areas:
- Understand common firewall architectures, including DMZ
- Understand and use iptables and ip6tables, including standard modules, tests and targets
- Implement packet filtering for IPv4 and IPv6
- Implement connection tracking and network address translation
- Manage IP sets and use them in netfilter rules
- Awareness of nftables and nft
- Awareness of ebtables
- Awareness of conntrackd
Partial list of the used files, terms and utilities:
- iptables
- ip6tables
- iptables-save
- iptables-restore
- ip6tables-save
- ip6tables-restore
- ipset
Utilities
iptables / ip6tables
Manage netfilter rules
iptables-save / ip6tables-save
Dump active netfilter rules
iptables-restore / ip6tables-restore
Install netfilter rules
ipset
IP Set manages IP sets in the Linux kernel (IPv4 and IPv6) for use in netfilter rules
Tips and Examples
- use IP sets in netfilter’s raw table to drop traffic to/from banned networks / IP addresses
- swap IP sets to apply changes without touching netfilter rules:
# Create the new set and add the entries to it
ipset -N new-set ....
ipset -A new-set ....
...
# Swap the old and new sets
ipset -W old-set new-set
# Get rid of the old set, which is now under new-set
ipset -X new-set
Notes
nftables, nft
nftables replaces {ip,ip6,arp,eb}tables by providing a new in-kernel packet classification framework based on a network-specific VM, and a new command: nft
ebtables
ebtables is the legacy command for managing bridge tables, it is superseded by nftables
conntrackd
conntrackd is the netfilter connection tracking userspace daemon