4x Affordable, 99.95% SLA, 24x& Video Support, 100+ Countires

A Deep Dive Infor Iptables And Netfilter Architecture


Firewalls are an all-important equipment that can be configured to preserve your servers and structure. In the linux ecosystem, iptables is a widely used firewall equipment that interfaces with the kernel's netdevice packet separating framework. For users and fiduciaries who don't understand the architecture of these systems, creating reliable firewall contracts can be discouraging, not only due to contesting structure, but also because of number of been parts present in the framework.

In this govern, we will dive into the iptables architecture with the aim of making it more comprehensible for users who need to build their own firewall contracts. We will discuss how iptables interacts with netdevice and how the different elements fit together to give a comprehensive separating and crushing system.

What Are IPTables and Netdevice?

The basic firewall app most commonly used in linux is labelled iptables. The iptables firewall works by interacting with the packet separating hooks in the linux kernel's networking stack. These kernel hooks are known as the netdevice framework.

Every packet that enters networking system (incoming or outgoing) will trigger these hooks as it progresses through the stack, allowing apps that enlist with these hooks to interact with the traffic at important points. The kernel modules associated with iptables apply at these hooks in order to ensure that the traffic conforms to the conditions laid out by the firewall rules.

Netdevice Hooks

There are five netdevice hooks that apps can apply with. As packets progress through the stack, they will trigger the kernel modules that have enlisted with these hooks. The hooks that a packet will trigger depends on whether the packet is incoming or outgoing, the packet's destination, and whether the packet was dropped or rejected at a preceding point.

The following hooks represent different well-defined points in the networking stack:

  • NF_IP_PRE_ROUTING: This hook will be triggered by any incoming traffic very soon after entering the network stack. This hook is processed before any path decisions have been made regarding where to send the packet.
  • NF_IP_LOCAL_IN: This hook is triggered after an incoming packet has been way if the packet is ordained for the local system.
  • NF_IP_FORWARD: This hook is triggered after an incoming packet has been way if the packet is to be forwarded to another host.
  • NF_IP_LOCAL_OUT: This hook is triggered by any locally created outgoing traffic as soon it knocks the network stack.
  • NF_IP_POST_ROUTING: This hook is triggered by any outgoing or forwarded traffic after path has taken place and just before being put out on the message.

Kernel modules that wish to apply at these hooks must give a priority number to support determine the order in which they will be labelled when the hook is triggered. This provides the means for aggregate modules (or aggregate examples of the same module) to be connected to each of the hooks with settled requesting . Each module will be labelled in turn and will return a choice to the netdevice framework after processing that indicates what should be done with the packet.

IPTables Tables and Chains

The iptables firewall uses tables to organize its rules. These tables classify rules according to the symbol of decisions they are used to make. For example, if a rule distributions with network addresses translation, it will be put into the nat table. If the rule is used to decide whether to allow the packet to continue to its destination, it would probably be increased to the device table.

Within each iptables table, rules are further organized within apart "chains". While tables are been by the general aim of the rules they hold, the built-in chains represent the netdevice hooks which trigger them. Chains basically determine when rules will be evaluated.

As you can see, the names of the built-in chains mirror the names of the netdevice hooks they are associated with:

  • PREROUTING: Triggered by the NF_IP_PRE_ROUTING hook.
  • INPUT: Triggered by the NF_IP_LOCAL_IN hook.
  • FORWARD: Triggered by the NF_IP_FORWARD hook.
  • production: Triggered by the NF_IP_LOCAL_OUT hook.
  • POSTROUTING: Triggered by the NF_IP_POST_ROUTING hook.

Chains allow the fiduciary to regulate where in a packet's delivery way a rule will be evaluated. Since each table has aggregate chains, a table's influence can be exerted at aggregate points in processing. Because definite symbols of decisions only make sense at definite points in the network stack, every table will not have a chain applied with each kernel hook.

There are only five netdevice kernel hooks, so chains from aggregate tables are applied at each of the hooks. For example, three tables have PREROUTING chains. When these chains enlist at the associated NF_IP_PRE_ROUTING hook, they choose a priority that dictates what order each table's PREROUTING chain is labelled . Each of the rules inside the advanced priority PREROUTING chain is evaluated sequentially before moving onto the next PREROUTING chain. We will take a look at the precise order of each chain in a time.

Which Tables are Available?

Let's stride back for a time and take a look at the disparate tables that iptables provides. These represent disparate sets of rules, organized by location of concern, for evaluating packets.

The Filter Table

The device table is one of the most widely used tables in iptables. The device table is used to make decisions about whether to let a packet continue to its intended destination or to deny its request. In firewall parlance, this is known as "deviceing" packets. This table provides the bulk of functionality that people think of when discussing firewalls.

The NAT Table

The nat table is used to implement network addresses translation rules. As packets enter the network stack, rules in this table will determine whether and how to alter the packet's source or destination addresses in order to influence the path that the packet and any response traffic are path. This is often used to path packets to networks when direct accesses is not feasible.

The Mangle Table

The crush table is used to modify the IP headers of the packet in different ways. For example, you can modify the TTL (moment to Live) ideal of a packet, either increasing or shortening the number of binding network hops the packet can sustain. Other IP headers can be modified in akin ways.

This table can also place an inner kernel "success" on the packet for further processing in other tables and by other networking equipment. This success does not tap the effective packet, but adds the success to the kernel's representation of the packet.

The Raw Table

The iptables firewall is stateful, conveying that packets are evaluated in regards to their relation to preceding packets. The connection tracking features built on top of the netdevice framework allow iptables to view packets as part of a current connection or session instead of as a stream of separate, misrelated packets. The connection tracking reasoning is usually enlisted very soon after the packet knocks the network interface.

The unprocessed table has a very narrowly been function. Its only purpose is to give a mechanism for marking packets in order to opt-out of connection tracking.

The Security Table

The security table is used to set inner SELinux security discourse marks on packets, which will affect how SELinux or other systems that can understand SELinux security discourses handle the packets. These marks can be registered on a per-packet or per-connection basis.

Which Chains are Implemented in Each Table?

We have talked about tables and chains separately. Let's go over which chains are accessible in each table. Implied in this discussion is a further discussion about the evaluation order of chains applied to the same hook. If three tables have PREROUTING chains, in which order are they evaluated?

The following table indicates the chains that are accessible within each iptables table when read from left-to-right. For example, we can tell that the unprocessed table has both PREROUTING and production chains. When read from top-to-bottom, it also displays the order in which each chain is labelled when the associated netdevice hook is triggered.

a few things should be noted. In the representation below, the nat table has been split between DNAT operations (those that modify the destination addresses of a packet) and SNAT operations (those that adjust the source addresses) in order to display their requesting more clearly. We have also include rows that represent points where way decisions are made and where connection tracking is enabled in order to give a more holistic view of the processes taking place:

(path preference)
(connection tracking enabled)
nat (DNAT)
(path preference)
nat (SNAT)

As a packet triggers a netdevice hook, the associated chains will be processed as they are listed in the table above from top-to-bottom. The hooks (columns) that a packet will trigger depend on whether it is an incoming or outgoing packet, the routing decisions that are made, and whether the packet passes deviceing criteria.

definite events will cause a table's chain to be skipped during processing. For example, only the first packet in a connection will be evaluated against the NAT rules. Any nat decisions made for the first packet will be enlisted to all subsequent packets in the connection without extra evaluation. Responses to NAT'ed connections will automatically have the reverse NAT rules enlisted to way correctly.

Chain Traversal Order

Assuming that the server knows how to path a packet and that the firewall rules permit its transmission, the following flows represent the routes that will be traversed in distinct situations:

  • Incoming packets ordained for the local system: PREROUTING -> INPUT
  • Incoming packets ordained to another host: PREROUTING -> FORWARD -> POSTROUTING
  • Locally generated packets: production -> POSTROUTING

If we combine the above information with the requesting laid out in the preceding table, we can see that an incoming packet ordained for the local system will first be evaluated against the PREROUTING chains of the unprocessed, crush, and nat tables. It will then traverse the INPUT chains of the crush, device, security, and nat tables before finally being consigned to the local socket.

IPTables Rules

Rules are placed within an accurate chain of an accurate table. As each chain is labelled , the packet in ask will be checked against each rule within the chain in order. Each rule has a matching element and an action element.


The matching part of a rule specifies the ideals that a packet must meet in order for the associated action (or "target") to be killed .

The matching system is very flexible and can be extended significantly with iptables continuances accessible on the system. Rules can be constructed to match by protocol symbol, destination or source addresses, destination or source port, destination or source network, input or production interface, headers, or connection attribute among other ideals. These can be combined to create fairly complex rule sets to distinguish between non-identical traffic.


a target is the action that are triggered when a packet meets the matching ideals of a rule. Targets are generally divided into two categories:

  • Terminating targets: Terminating targets perform an action which terminates evaluation within the chain and returns command to the netdevice hook. being on the return ideal given , the hook might descent the packet or allow the packet to continue to the next level of processing.
  • Non-terminating targets: Non-terminating targets perform an action and continue evaluation within the chain. Although each chain must eventually pass back a closing terminating choice, any number of non-terminating targets can be killed beforehand.

The convenience of each target within rules will be on discourse. For example, the table and chain symbol might dictate the targets accessible. The continuances activated in the rule and the matching clauses can also affect the convenience of targets.

Jumping to User-Defined Chains

We should mention a distinctive class of non-terminating target: the leap target. leap targets are actions that result in evaluation moving to a non-identical chain for more processing. We've talked quite a bit about the built-in chains which are intimately tied to the netdevice hooks that call them. However, iptables also allows fiduciaries to create their own chains for organizational purposes.

Rules can be placed in user-defined chains in the same path that they can be placed into built-in chains. The disagreement is that user-defined chains can only be come by "jumping" to them from a rule (they are not applied with a netdevice hook themselves).

User-defined chains act as uncomplicated continuations of the chain which labelled them. For example, in an user-defined chain, evaluation will pass back to the labelling chain if the end of the rule database is approached or if a RETURN target is activated by a matching rule. Evaluation can also leap to extra user-defined chains.

This construct allows for large organization and provides the framework necessary for more robust growing .

IPTables and Connection Tracking

We informed the connection tracking system implemented on top of the netdevice framework when we discussed the unprocessed table and connection attribute matching ideals. Connection tracking allows iptables to make decisions about packets viewed in the discourse of a current connection. The connection tracking system provides iptables with the practicality it needs to perform "stateful" operations.

Connection tracking is enlisted very soon after packets enter the networking stack. The unprocessed table chains and some basic sanity checks are the only inference that is performed on packets prior to associating the packets with a connection.

The system checks each packet against a set of existing connections. It will modify the attribute of the connection in its accumulation if needed and will increase brand-new connections to the system when necessary. Packets that have been marked with the NOTRACK target in one of the unprocessed chains will avoid the connection tracking routines.

Available States

Connections tracked by the connection tracking system will be in one of the following attributes:

  • brand-new: When a packet arrives that is not associated with an existing connection, but is not invalid as a first packet, a brand-new connection will be increased to the system with this description. This happens for both connection-aware protocols like TCP and for connectionless protocols like UDP.
  • ESTABLISHED: a connection is changed from brand-new to ESTABLISHED when it receives a binding response in the other direction. For TCP connections, this means a SYN/ACK and for UDP and ICMP traffic, this means a response where source and destination of the genuine packet are switched.
  • RELATED: Packets that are not part of an existing connection, but are associated with a connection already in the system are labeled RELATED. This could convey a worker connection, as is the case with FTP data transmission connections, or it could be ICMP responses to connection tries by other protocols.
  • INVALID: Packets can be marked INVALID if they are not associated with an existing connection and aren't befitting for opening a brand-new connection, if they cannot be identified, or if they aren't routable among other reasons.
  • inaccessible: Packets can be marked as inaccessible if they've been targeted in a unprocessed table chain to avoid tracking.
  • SNAT: a realistic attribute set when the source addresses has been modified by NAT operations. This is used by the connection tracking system so that it knows to action the source addresses back in answerly packets.
  • DNAT: a realistic attribute set when the destination addresses has been modified by NAT operations. This is used by the connection tracking system so that it knows to action the destination addresses back when way respondly packets.

The attributes tracked in the connection tracking system allow fiduciaries to craft rules that target precise points in a connection's lifetime. This provides the practicality needed for more careful and obtain rules.


The netdevice packet deviceing framework and the iptables firewall are the basis for most firewall successes on linux servers. The netdevice kernel hooks are close enough to the networking stack to give mighty command over packets as they are processed by the system. The iptables firewall leverages these aptitudes to give a flexible, extensible mode of communicating contract requirements to the kernel. By learning about how these pieces fit together, you can acceptable utilize them to command and obtain your server environments.

If you would like to know more about how to specify effective iptables contracts, check out this lead.

These governs can support you get began implementing your iptables firewall rules:

Reference: digitalocean