Difference between revisions of "Talk:Iptables"

From ArchWiki
Jump to: navigation, search
(Is that correct?: re, closing)
(Starting iptables before network: re, close)
 
(44 intermediate revisions by 7 users not shown)
Line 1: Line 1:
== Starting iptables before network ==
+
== <s>Starting iptables before network</s> ==
 
Shouldn't this page explain how to set up systemd to start iptables before the network interfaces are up?  
 
Shouldn't this page explain how to set up systemd to start iptables before the network interfaces are up?  
 
I read [[Systemd]] and I will be trying this:  
 
I read [[Systemd]] and I will be trying this:  
Line 47: Line 47:
 
::Using {{ic|1=Before=sysinit.target}} in this case would be wrong, it breaks dependencies between targets. Note that {{ic|iptables.service}} is {{ic|1=WantedBy=multi-user.target}}, {{ic|multi-user.target}} is started after {{ic|sysinit.target}}. I think the correct way to do this is by placing {{ic|iptables.service}} into {{ic|basic.target}}, which is started after {{ic|sysinit.target}} but before {{ic|multi-user.target}}. All services configuring network interfaces are in {{ic|multi-user.target}}, so {{ic|network.target}} is necessarily started after {{ic|basic.target}}. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 17:40, 25 July 2013 (UTC)
 
::Using {{ic|1=Before=sysinit.target}} in this case would be wrong, it breaks dependencies between targets. Note that {{ic|iptables.service}} is {{ic|1=WantedBy=multi-user.target}}, {{ic|multi-user.target}} is started after {{ic|sysinit.target}}. I think the correct way to do this is by placing {{ic|iptables.service}} into {{ic|basic.target}}, which is started after {{ic|sysinit.target}} but before {{ic|multi-user.target}}. All services configuring network interfaces are in {{ic|multi-user.target}}, so {{ic|network.target}} is necessarily started after {{ic|basic.target}}. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 17:40, 25 July 2013 (UTC)
  
== <s>Is that correct?</s> ==
+
:::Not really, {{ic|WantedBy}} does not mean {{ic|Before}} and in fact the start order is: {{ic|iptables.service}}, {{ic|sysinit.target}} and {{ic|multi-user.target}}, with many other units started between them. See {{ic|Requires}} in {{ic|man systemd.unit}}. Not only that {{ic|WantedBy}} has nothing to do with {{ic|Before}} as many newcomers believe, but you confuse it with {{ic|After}}. So this configuration says: if you start {{ic|multi-user.target}}, then also start {{ic|iptables.service}}. When should you start {{ic|iptables.service}}? Before {{ic|sysinit.target}}! I don't know what happens when sysinit.target is already started. And yes, {{ic|systemd}} is uncomfortable, to say the least ([https://bbs.archlinux.org/viewtopic.php?pid=1320316#p1320316 join us on this]). [[User:Doru001|Doru001]] ([[User talk:Doru001|talk]]) 09:18, 4 September 2013 (UTC)
"Chains are used to specify rulesets. A packet begins at the top of a chain and progresses downwards until it hits a rule. There are three built-in chains: INPUT, OUTPUT and FORWARD. '''All outbound traffic passes through the forward chain, and all inbound traffic passes through the FORWARD chain.''' The three built-in chains have default targets which are used if no rules are hit. User-defined chains can be added to make rulesets more efficient."
+
Is the bold marked text really correct? If yes: shouldn't we explain what output/input chains do?
+
--[[User:Evilandi666|Evilandi666]] 11:57, 17 July 2011 (EDT)
+
:I don't think this could be correct: from [[Wikipedia:iptbles]] 
+
“PREROUTING”: Packets will enter this chain before a routing decision is made.
+
“INPUT”: Packet is going to be locally delivered. (N.B.: It does not have anything to do with processes having a socket open. Local delivery is controlled by the “local-delivery” routing table: `ip route show table local`.)
+
“FORWARD”: All packets that have been routed and were not for local delivery will traverse this chain.
+
“OUTPUT”: Packets sent from the machine itself will be visiting this chain.
+
“POSTROUTING”: Routing decision has been made. Packets enter this chain just before handing them off to the hardware.
+
:In the italian page I changed this, but I didn't mentioned {{Ic|POSTROUTING}} and {{Ic|PREROUTING}} chains. I think this guide need to be updateed. -- [[User:Maveloth|Maveloth]] 14:04, 30 September 2011 (EDT)
+
::Fixed double FORWARD problem and added an Expansion template because I think POSTROUTING and PREROUTING have something to do with NAT operations, but I don't have sufficient knowledge to expand the article by myself. Probably the whole [[Iptables#Basic_concepts]] section should be expanded and made clearer. -- [[User:Kynikos|Kynikos]] 17:26, 7 October 2011 (EDT)
+
:::The section has been updated: [https://wiki.archlinux.org/index.php?title=Iptables&diff=267135&oldid=266924]. Closing. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 14:38, 21 August 2013 (UTC)
+
  
== <s>Merge</s> ==
+
::Going back to {{Bug|33478}} I'd like to add {{Bug|41633}} as a cross-reference here, which already implemented the new {{ic|network-pre.target}} for [https://projects.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/nftables&id=0ce3501e78e603fff5ac95a551bb69c411172197 nftables]. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 20:59, 16 September 2014 (UTC)
It seems to me that [[Iptables]] and [[Simple stateful firewall HOWTO]] should be merged into a single document named iptables. Ideally, various pages could point to the iptables page for configuration options. These include router instructions, etc. Of course, I volunteer to do all the work. --[[User:Arcanazar|Arcanazar]] 14:58, 30 July 2009 (EDT)
+
::Anyone watching: {{Bug|33478}} has been closed and the service will gain default dependencies with the next package. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 20:13, 6 April 2015 (UTC)
  
I agree on the merge, the link provided has much more in depth. In short this page should pint there or visa versa.--[[User:Mthode|Prometheanfire]] 15:05, 30 July 2009 (EDT)
+
::The package did not exactly roll in FF, but well :) [https://wiki.archlinux.org/index.php?title=Iptables&type=revision&diff=432098&oldid=424453]. Closing. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 18:50, 21 April 2016 (UTC)
 
+
Basically, I'm suggesting that [[Simple stateful firewall HOWTO]] be moved to this page. Everything I have put on this page, so far, came from there anyway. --[[User:Arcanazar|Arcanazar]] 15:10, 30 July 2009 (EDT)
+
 
+
I guess it just depends on whether or not we want to classify the age as a class (Stateful Firewall) or a program (IPTABLES).  This is honestly the first time I have edited a wiki except for gramatical errors so I do not know the proper procedure.--[[User:Mthode|Prometheanfire]] 16:24, 30 July 2009 (EDT)
+
 
+
There really is no proper procedure. Basically, the best page is whatever is going to be the most useful. Since (IMHO), more people will search for "iptables" than "Stateful Firewall", iptables is the better name. --[[User:Arcanazar|Arcanazar]] 16:31, 30 July 2009 (EDT)
+
 
+
The subject of iptables, and firewalling, is not that simple.  Even now both pages lack clarity to the layperson, and so neither is complete.  Understanding iptables requires an understanding of networking in general.  So slimming it down in a wiki article is folly.  Instead, each article needs to be refined with proper references (and diagrams if possible) before any potential merger can or should be considered. [[User:T1nk3r3r|T1nk3r3r]] ([[User talk:T1nk3r3r|talk]]) 23:45, 17 January 2013 (UTC)
+
 
+
== <s>NAT Firewall</s> ==
+
 
+
This is a combination of lazyness and the like, this is an old setup that I have since moved from this config to a hardware firewall.  This setup is of a natting firewall with a few port forwards.
+
 
+
# Generated by iptables-save v1.3.5 on Tue Jun  5 19:52:40 2007
+
*raw
+
:PREROUTING ACCEPT [123119306:66686923721]
+
:OUTPUT ACCEPT [8218577:4064226432]
+
COMMIT
+
# Completed on Tue Jun  5 19:52:40 2007
+
# Generated by iptables-save v1.3.5 on Tue Jun  5 19:52:40 2007
+
*nat
+
:PREROUTING ACCEPT [1284892:103455725]
+
:POSTROUTING ACCEPT [708950:58789746]
+
:OUTPUT ACCEPT [81288:4974397]
+
:DNS - [0:0]
+
-A PREROUTING -p udp -m udp --dport 1337 -j DNAT --to-destination 10.0.0.42:1337
+
-A PREROUTING -p udp -m udp --dport 54420 -j DNAT --to-destination 10.0.0.42:54420
+
-A PREROUTING -p tcp -m tcp --dport 54420 -j DNAT --to-destination 10.0.0.42:54420
+
-A PREROUTING -p tcp -m tcp --dport 54421 -j DNAT --to-destination 10.0.0.42:54421
+
-A PREROUTING -p udp -m udp --dport 54421 -j DNAT --to-destination 10.0.0.42:54421
+
-A PREROUTING -p udp -m udp --dport 7314 -j DNAT --to-destination 10.0.0.42:7314
+
-A PREROUTING -p udp -m udp --dport 2424 -j DNAT --to-destination 10.0.0.42:2424
+
-A PREROUTING -i eth3 -p tcp -m tcp --dport 3724 -j DNAT --to-destination 10.0.0.42:3724
+
-A PREROUTING -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 10.0.0.42
+
-A POSTROUTING -o eth3 -j MASQUERADE
+
COMMIT
+
# Completed on Tue Jun  5 19:52:40 2007
+
# Generated by iptables-save v1.3.5 on Tue Jun  5 19:52:40 2007
+
*mangle
+
:PREROUTING ACCEPT [123119304:66686924548]
+
:INPUT ACCEPT [8600443:3272731641]
+
:FORWARD ACCEPT [114518165:63414136121]
+
:OUTPUT ACCEPT [8218577:4064226432]
+
:POSTROUTING ACCEPT [122677262:67474602455]
+
COMMIT
+
# Completed on Tue Jun  5 19:52:40 2007
+
# Generated by iptables-save v1.3.5 on Tue Jun  5 19:52:40 2007
+
*filter
+
:INPUT ACCEPT [3327494:1199833518]
+
:FORWARD ACCEPT [1:0]
+
:OUTPUT ACCEPT [8211773:4063626894]
+
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
+
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+
-A INPUT -p tcp -m state --state NEW -m multiport --dports 111,2049,4001,32764:32767 -j ACCEPT
+
-A INPUT -p udp -m state --state NEW -m multiport --dports 111,2049,4001,32764:32767 -j ACCEPT
+
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
+
-A INPUT -p tcp -m tcp --dport 49152:65534 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
+
-A INPUT -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT
+
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
+
-A FORWARD -d 10.0.0.42 -p udp -m udp --dport 1337 -j ACCEPT
+
-A FORWARD -d 10.0.0.42 -p udp -m udp --dport 54420 -j ACCEPT
+
-A FORWARD -d 10.0.0.42 -p tcp -m tcp --dport 54420 -j ACCEPT
+
-A FORWARD -d 10.0.0.42 -p tcp -m tcp --dport 54421 -j ACCEPT
+
-A FORWARD -d 10.0.0.42 -p udp -m udp --dport 54421 -j ACCEPT
+
-A FORWARD -d 10.0.0.42 -p udp -m udp --dport 7314 -j ACCEPT
+
-A FORWARD -d 10.0.0.42 -p udp -m udp --dport 2424 -j ACCEPT
+
-A FORWARD -d 10.0.2.0/255.255.255.0 -i eth2 -j DROP
+
-A FORWARD -d 10.0.1.0/255.255.255.0 -i eth1 -j DROP
+
-A FORWARD -d 10.0.0.0/255.255.255.0 -i eth0 -j DROP
+
-A FORWARD -d 10.0.0.0/255.255.255.0 -i eth3 -j ACCEPT
+
-A FORWARD -d 10.0.1.0/255.255.255.0 -i eth3 -j ACCEPT
+
-A FORWARD -d 10.0.2.0/255.255.255.0 -i eth3 -j ACCEPT
+
-A FORWARD -s 10.0.0.0/255.255.255.0 -i eth0 -j ACCEPT
+
-A FORWARD -s 10.0.1.0/255.255.255.0 -i eth1 -j ACCEPT
+
-A FORWARD -s 10.0.2.0/255.255.255.0 -i eth2 -j ACCEPT
+
-A FORWARD -s 10.0.0.42 -p tcp -m tcp --dport 6881:6999 -j ACCEPT
+
-A FORWARD -s 192.168.1.2 -p tcp -m tcp --dport 6881:6889 -j ACCEPT
+
COMMIT
+
# Completed on Tue Jun  5 19:52:40 2007
+
--[[User:Mthode|Prometheanfire]] 14:31, 30 July 2009 (EDT)
+
 
+
:I don't find this very useful, the [[Simple Stateful Firewall]] provides much more useful explanation. There are plenty of example iptables config files around. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 14:31, 21 August 2013 (UTC)
+

Latest revision as of 18:50, 21 April 2016

Starting iptables before network

Shouldn't this page explain how to set up systemd to start iptables before the network interfaces are up? I read Systemd and I will be trying this:

$ sudo vim /etc/systemd/system/network.service
[Unit]
Description=lan
Requires=iptables.service - added by me 
After=iptables.service - added by me 
Wants=network.target
Before=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=/etc/conf.d/network
ExecStart=/sbin/ip link set dev ${interface} up
ExecStart=/sbin/ip addr add ${address}/${netmask} broadcast ${broadcast} dev ${interface}
ExecStart=/sbin/ip route add default via ${gateway}
ExecStop=/sbin/ip addr flush dev ${interface}
ExecStop=/sbin/ip link set dev ${interface} down
[Install]
WantedBy=multi-user.target

however, I have no clue if this is correct or not. Doru001 (talk) 17:28, 27 January 2013 (UTC)

That's the way to do it. Consider adding "ip6tables.service" for IPv6 connections if it's required. A much cleaner and safer solution would be to have the actual iptables services start before any kind of network is available. This needs a "Before=sysinit.target" (and possibly more) listed in the Unit sections. If you could test it, I'm sure the iptables packager would be happy to hear from you at Bug #33478. --Gilrain (talk) 16:39, 8 February 2013 (UTC)
Following https://bugs.freedesktop.org/show_bug.cgi?id=57773#c7 from your bug report I have done this:
$ cat /usr/lib/systemd/system/iptables.service
[Unit]
Description=Packet Filtering Framework
DefaultDependencies=no
After=systemd-sysctl.service
Before=sysinit.target
[Service]
Type=oneshot
ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules
ExecReload=/usr/bin/iptables-restore /etc/iptables/iptables.rules
ExecStop=/usr/lib/systemd/scripts/iptables-flush
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
Seems to be working, but I don't know how to check that it starts when it should, it is possible that journalctl is not started before it. Doru001 (talk) 14:53, 13 July 2013 (UTC)
Use "systemd-analyze plot > bootchart.svg" to check the complete start-up sequence. You should see iptables.service near the top, sysinit.target in the middle and network.target further down (at least, that what it looks like with UFW). Also, does iptables really need "After=systemd-sysctl.service" or is it there because of a quick copy-paste? --Gilrain (talk) 19:36, 13 July 2013 (UTC)
That was a quick copy-paste, but it makes sense to me to configure the kernel before iptables and iptables before sysinit. If you have a better iptables.service unit then please post it here. Thank you for systemd-analyze plot. Doru001 (talk) 08:58, 14 July 2013 (UTC)
Using Before=sysinit.target in this case would be wrong, it breaks dependencies between targets. Note that iptables.service is WantedBy=multi-user.target, multi-user.target is started after sysinit.target. I think the correct way to do this is by placing iptables.service into basic.target, which is started after sysinit.target but before multi-user.target. All services configuring network interfaces are in multi-user.target, so network.target is necessarily started after basic.target. -- Lahwaacz (talk) 17:40, 25 July 2013 (UTC)
Not really, WantedBy does not mean Before and in fact the start order is: iptables.service, sysinit.target and multi-user.target, with many other units started between them. See Requires in man systemd.unit. Not only that WantedBy has nothing to do with Before as many newcomers believe, but you confuse it with After. So this configuration says: if you start multi-user.target, then also start iptables.service. When should you start iptables.service? Before sysinit.target! I don't know what happens when sysinit.target is already started. And yes, systemd is uncomfortable, to say the least (join us on this). Doru001 (talk) 09:18, 4 September 2013 (UTC)
Going back to FS#33478 I'd like to add FS#41633 as a cross-reference here, which already implemented the new network-pre.target for nftables. --Indigo (talk) 20:59, 16 September 2014 (UTC)
Anyone watching: FS#33478 has been closed and the service will gain default dependencies with the next package. --Indigo (talk) 20:13, 6 April 2015 (UTC)
The package did not exactly roll in FF, but well :) [1]. Closing. --Indigo (talk) 18:50, 21 April 2016 (UTC)