User-Defined Chains


The filter table has three permanent, built-in chains: INPUT, OUTPUT, and FORWARD. iptables enables you to define chains of your own, called user-defined chains. These user-defined chains are treated as rule targetsthat is, based on the set of matches specified in a rule, the target can branch off or jump to a user-defined chain. Rather than the packet being accepted or dropped, control is passed to the user-defined chain to perform more specific match tests relative to packets matching the branch rule. After the user-defined chain is traversed, control returns to the calling chain, and matching continues from the next rule in the calling chain unless the user-defined chain matched and took action on the packet.

Figure 5.3 shows the standard, top-down rule traversal using the built-in chains.

Figure 5.3. Standard chain traversal.


User-defined chains are useful in optimizing the ruleset and therefore are often used. They allow the rules to be organized into categorical trees. Rather than relying on the straight-through, top-down check-off list type of matching inherent in the standard chain traversal, packet match tests can be selectively narrowed down based on the characteristics of the packet. Figure 5.4 shows initial packet flow. After initial tests common to all incoming packets are performed, packet matching branches off based on the destination address in the packet.

Figure 5.4. User-defined chains based on destination address.


Branching is based on destination address in this example. Source address matching is done later in relation to specific applications, such as remote DNS or mail servers. In most cases, the remote address will be "anywhere." Matching on destination address at this point distinguishes between unicast packets targeted to this machine, broadcast packets, multicast packets, and (depending on whether it's the INPUT or FORWARD chain) packets targeted to internal hosts.

Figure 5.5 details the user-defined chain for the protocol rules for packets specifically addressed to this host. As shown, user-defined chains can jump to other user-defined chains containing even more specific tests.

Figure 5.5. User-defined chains based on protocol.


This list summarizes the characteristics of user-defined chains from Chapter 3, "iptables: The Linux Firewall Administration Program":

  • User-defined chains are created with the -N or --new-chain operations.

  • User-defined chain names can be up to 30 characters in length.

  • User-defined chain names can contain hyphens (-) but not underscores (_).

  • User-defined chains are accessed as rule targets.

  • User-defined chains do not have default policies.

  • User-defined chains can call other user-defined chains.

  • If the packet doesn't match a rule on the user-defined chain, control returns to the next rule in the calling chain.

  • The user-defined chain can be exited early, with control returning to the next rule in the calling chain, via use of the RETURN target.

  • User-defined chains are deleted with the -X or --delete-chain operations.

  • A chain must be empty before it can be deleted.

  • A chain cannot have any references to it from other chains to be deleted.

  • A chain is emptied specifically by name, or all existing chains are emptied if no chain is specified, with the -F or --flush operations.

The next section takes advantage of user-defined chains and the concepts presented in the section on rule organization to optimize the single-system firewall presented in Chapter 4.




Linux Firewalls
Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
ISBN: 1593271417
EAN: 2147483647
Year: 2005
Pages: 163
Authors: Michael Rash

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net