I checked a little about netfilter. I know that there was a difference in perception, so I record it.
In CentOS8 (but not limited to), we found the following:
- iptables is not iptables but nftables
- Rules set in firewall-cmd are not displayed in iptables
- All rule checks use nft
netfilter is a basic rule for processing packets in Linux. What kind of processing is performed on packets received by the interface.
According to netfilter.org ,
netfilter is a set of hooks in the Linux kernel that allows kernel modules to register callback functions with the network stack. The registered callback function is called back for every packet that passes through each hook in the network stack.
In other words, when a packet passes through the network stack, a mechanism called “hook” defined by netfilter allows some processing to be inserted. Does that mean?
A series of processing that passes through the network stack is called a chain.
chain consists of:
The basics are shown below ( Reference from Wikipedia):
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
A hook is a representation of “where” (in the network stack) processing takes place. In other words, it expresses the timing of hooking.
As routing decisionyou can see, the processing has changed in the part near the center of the above figure . The hook used depends on whether the incoming packet is "local destination" or "not local destination (= forward)".
The following focuses on the hook part.
In other words, the following hooks are used depending on the destination.
- In the case of local addressed
Prerouting -> Input -> Output -> Postrouting - If you transfer
Prerouting -> Forward -> Postrouting
(In addition, there seems to be a hook for packets to L2 called ingress.)
Priority is the expression of “in what order” the processing is performed.
In other words, it represents the order of processing in each hook. Priority is expressed as a positive or negative number, but an alias is defined. dstnat and scrnat are only available for prerouting and postrouting hooks, respectively.
However, the substance is a numerical value until it gets tired.
More info:
The type that expresses “what kind of processing” is type. In other words, it expresses what to do with the packet.
More info:
The components that make up netfilter are explained above, but how do you operate netfilter? So, it’s about software that operates them.
Firewalld is at the top and iptables or nftables is running on the backend. Iptables or nftables running on the backend is operating netfilter.
Older versions of firewalld use iptables as the backend, and newer versions of firewalld use nftables as the backend.
More info :
iptables is a tool that can operate netfilter. In old CentOS before firewalld was introduced, iptables was turned into a daemon (service?) by iptables-service.
In other words, by directly changing the rules of iptables with the iptables command or reading a specific file, filtering or NAT was done.
CentOS8 also has iptables, but the entity runs on nftables.
# iptables --version
iptables v1.8.2 (nf_tables)However, iptables is not already iptables.
# ll /usr/sbin/iptables
lrwxrwxrwx. 1 root root 17 11月 9 03:40 /usr/sbin/iptables -> xtables-nft-multi# man xtables-nft
NAME
xtables-nft ― iptables using nftables kernel api
DESCRIPTION
xtables-nft are versions of iptables that use the nftables
API. This is a set of tools to help the system administra‐
tor migrate the ruleset from iptables(8), ip6tables(8),
arptables(8), and ebtables(8) to nftables(8).
If you hit iptables, you will see the rules in a format similar to that. However, the tables added by nftables described later cannot be seen from iptables. Therefore, the rules displayed by iptables -L -nv -t nat | filter may not work with the actual operation.
For example, firewall-cmd --add-masqueradewhen transferring a port from a Docker host to a bridge-connected container . If you check the chain with nft, you will see the following behavior.
# nft list chain ip firewalld nat_POST_public_allow
table ip firewalld {
chain nat_POST_public_allow {
oifname != "lo" masquerade
}
}But I can’t see firewalld table from iptables.
# iptables -L -t firewalld
iptables v1.8.2 (nf_tables): table 'firewalld' does not exist
Perhaps iptables or your kernel needs to be upgraded.man iptablesIf you look at the TABLES section, iptables can only confirm the table with the specified keywords.
TABLES
There are currently five independent tables (which tables are present at any time depends on the kernel configuration options and which modules are
present). -t, --table table
The tables are as follows:
filter:
nat:
mangle:
raw:
security:
In other words, if nftables is running behind firewalld, the rules displayed in iptables are incorrect!
So use nft instead of iptables to check the rules !
nftables is another tool that can operate netfilter and replace iptabes.
It looks like nftables can be turned into a service in the same way as iptables, but …
# systemctl status nftables
● nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:nft(8)In CentOS8, firewalld is running and nftables is running behind the scenes, so the daemon as nftables seems to be resting.
The contents are as follows: nftflush (= removal) the rules and read the configuration file using commands. It's similar to turning iptables into a daemon.
# cat /usr/lib/systemd/system/nftables.service | grep nft
Documentation=man:nft(8)
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush rulesetIn debian * arch * ubuntu * fedora, nftables daemon behavior seems to be the default.
More info:
nftables is nftprovided by the command the rules set in nft are expressed as a chain, which is the process itself, and as a table that combines the chains.
A chain is a collection of processes represented by a specific type with a specific hook, and “where” (in the network stack) “in what order” “what process” is one It is put together in a chain. A table is a virtual group of multiple chains.
nft listUse the command to confirm the settings .
Displays only the names of all the tables that have been set.
# nft list tables
table ip filter
table ip6 filter
(Or a lot)Displays all chains set in the specified table.
# nft list table ip nat
table ip nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
(All chains included in table ip nat are displayed)For all the configured chains, which table is included in each chain, and which part of (the network stack) is the triggering condition, and in what order the processing is performed
# nft list chains
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
}
(A lot is displayed)Displays the specified chain
# nft list chain ip filter FORWARD
table ip filter {
chain FORWARD {
type filter hook forward priority 0; policy drop;
counter packets 0 bytes 0 jump DOCKER-USER
(A lot is displayed)All configured rules are displayed.
# nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
} chain FORWARD {
type filter hook forward priority 0; policy drop;
counter packets 0 bytes 0 jump DOCKER-USER
(Very much displayed)
