Iptables is a firewall built into Linux that allows a system administrator to define tables containing chains of rules that determine how network packets should be treated. Packets are processed by sequentially traversing rules in chains within the following tables:
- Raw: This is a default table that filters packets before any other table. It is mainly used for rules related to connection tracking.
- Filter: This is a default table for filtering packets.
- NAT: This is a default table used for network address translation.
- Mangle: This is a default table used for specialized packet alteration and is not used by the Security Group API.
A rule in a chain can cause a jump to another chain, which, in turn, can jump to another chain, and so on. This behavior can be repeated to whatever level of nesting is desired. If the traffic does not match the rules of a subchain, the system recalls the point at which the jump occurred and returns to that point for further processing. When iptables is enabled, every network packet arriving at or leaving an interface traverses at least one chain.
There are five default chains, and the origin of the packet determines which chain will be initially traversed. The five default chains include the following:
- PREROUTING: Packets will enter this chain before a routing decision is made. The PREROUTING chain is used by the raw, mangle, and NAT tables.
- INPUT: This is used when a packet is going to be locally delivered to the host machine. The INPUT chain is used by the mangle and filter tables.
- FORWARD: All packets that have been routed and were not for local delivery will traverse this chain. The FORWARD chain is used by the mangle and filter tables.
- OUTPUT: Packets sent from the host machine itself will traverse this chain. The OUTPUT chain is used by the raw, mangle, NAT, and filter tables.
- POSTROUTING: Packets will enter this chain when a routing decision has been made. The POSTROUTING chain is used by the mangle and NAT tables.
Each rule in a chain contains criteria that packets can be matched against. The rule may also contain a target, such as another chain, or a verdict, such as DROP or ACCEPT. As a packet traverses a chain, each rule is examined. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target or verdict.
Possible verdicts include the following:
- ACCEPT: The packet is accepted and sent to the application for processing
- DROP: The packet is dropped silently
- REJECT: The packet is dropped and an error message is sent to the sender
- LOG: The packet details are logged
- DNAT: This rewrites the destination IP of the packet
- SNAT: This rewrites the source IP of the packet
- RETURN: Processing returns to the calling chain
The ACCEPT, DROP, and REJECT verdicts are often used by the filter table. Common rule criteria include the following:
- -p <protocol>: Matches protocols such as TCP, UDP, ICMP, and more
- -s <ip_addr>: Matches source IP address
- -d <ip_addr>: Matches destination IP address
- --sport: Matches source port
- --dport: Matches destination port
- -I <interface>: Matches the interface from which the packet entered
- -o <interface>: Matches the interface from which the packet exits
Neutron abstracts the implementation of security group rules from users, but understanding how it works is important for operators tasked with troubleshooting connectivity. For more information on iptables, please visit the following resources: