Netfilter in Linux

Bing Qi
Department of Computer Science and Engineering
Auburn university

1
Netfilter
 A framework for packet mangling in kernel
 Built in Linux 2.4 kernel or higher version
 Independent of network protocol stack
 Provide an easy way to do firewall setting or
packet filtering, network address translation
and packet mangling

2
Netfilter II—how it works
 Defines a set of hooks
 Hooks are well defined point in the path of packets when
these packets pass through network stack
 The protocol code will jump into netfilter framework
when it hits the hook point.
 Registers Kernel functions to these hooks:
 Called when a packet reaches at hook point
 Can decide the fate of the packets
 After the functions, the packet could continue its journey

3
 Netfilter Hooks
 Each protocol family can have different hooks
 IPv4 defines 5 hooks
Upper layer

IP_output IP_input

NF_IP_LOCAL_OUT NF_IP_LOCAL_IN

Route Route

NF_IP_POSTROUTING NF_IP_FORWARD NF_PRE_ROUTING

4
Network driver device
Netfilter hook points
 NF_IP_PRE_ROUTING:
 After sanity checks, before routing decision
 NF_IP_LOCAL_IN:
 After routing decisions, if the packet destines for this host
 NF_IP_FORWARD:
 Packets are not destined for this host but need to be forwarded
to another interface
 NF_IP_LOCAL_OUT:
 All packets created from local host would come here before it
is been sent out
 NF_IP_POST_ROUTING:
 All packets have been routed and ready to hit the wire
5
Netfilter hook functions
 Multiple functions could register to the same hook point
 Need to set priority
 The corresponding packet will path the hook points
 Each function registered for that hook point is called in the
order of priority and is free to manipulate the packet

 What to do in hook functions

 The function could do anything it wants
 But need to tell netfilter to return one of the five values:
 NF_ACCEPT
 NF_DROP
 NF_STOLEN
 NF_QUEUE
 NF_REPEAT
6
How to use netfilter framework

 Iptables subsystem
 Write your own kernel functions, register
to certain hook points, do whatever you
want to process the packets

7
Iptables
 Based on netfilter framework
 Some modules that register to hook points
 Use generic table structure for the definition of rules.
 Very powerful
 Customize your own firewall setting
 User space tools (iptables) to load rules into different
tables

8
Install iptables
 Download iptables at www.netfilter.org
 RPM
 rpm –ivh iptable*.i386.rpm
 Source code
 tar zcvf iptable&*.tar.gz
 cd iptable*
 ./configure
 make
 make install
9
Iptables—basic functionalities
 Packet filter
 control
 Security
 Corresponding to “filter” table
 NAT-network address translation
 Switch the source or destination address
 Sharing internet access
 Corresponding to “NAT” table
 Packet mangle
 Mangling packets going through the firewall
 Ex: change TOS or TTL value, mark packets 10
Iptables command
 Use iptables command to load the rule set
 Basic iptables commands include:
 Which table to work on
 An operation
 Which hook point in this table to use
 A match
 A target
 For example:
 Iptables –t filter –A INPUT –p tcp –j DROP
 Iptables –t nat –A PREROUTING –p tcp –d 1.2.3.4 –j DNAT –to-
destination 4.3.2.1
 Iptables –l –v –n

11
Add your own functions to kernel
 Two ways to extend kernel codes
 Open source programming
 Need to find the place to insert our code
 Recompile the whole Linux kernel
 Need to reboot the system to let new image work
 Time-consuming, difficult to debug
 Loadable kernel module

12
Loadable kernel module
 It is a chunk of code, inserted and unloaded
dynamically
 Like the normal user space programs but it works
in kernel space and have access to kernel
resources
 Modules take effect immediately after loading it
without recompiling
 Saving time to extend the kernel

13
Write the kernel module
 Different from normal C program
 Modules execute in kernel space
 May not use some standard function libraries of C
 No main functions
 Module need to define two functions with the name:
 init_module: start entry
 Cleanup_module: end entry
 After linux 2.4, Macro is used, we could use any name as
our start and end functions, but need to use
 Module_init(“startfunctionname”);
 Module_exit(“endfunctionname”);
 Use insmod to load, rmmod to unload

14
A simple hello module
 helloworld_module.c:

#define MODULE
#include <linux/module.h>
static int __init init_module(void)
{
printk("<1>Hello, world\n"); /* <1> is message priority. */
return 0;
}
static int __exit cleanup_module(void)
{
printk("<1>Goodbye cruel world\n");
}

 printk (basic kernel service) outputs to /var/log/messages

 obj-m = helloworld_module.o all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
 Use “insmod ./helloworld_module.ko” to load it into the kernel space
15
 cat /var/log/message or dmesg to see the output
Netfilter Hook implementation
 Steps
 Fill out the nf_hook_ops structure
 Write a hook function:
 It has specific format
 Register to system
 Compile and load the modules
 Example:
 Iptables –t filter –A INPUT –p tcp –j DROP
Drop all the incoming tcp packet
16
Netfilter Hook implementation (I)
 Fill in a netfilter hook operation structure
 Data type: (in include/linux/netfilter.h)

17
Example

static struct nf_hook_ops localin_ops;

localin_ops.hook = localin_handler;
localin_ops.pf = PF_INET;
localin_ops.hooknum =NF_IP_LOCAL_IN;
localin_ops.priority=NF_IP_PRI_FIRST;

18
Netfilter Hook implementation II
 Format: must be of function type nf_hookfn
Unsigned int nf_hookfn(hooknum,struct
sk_buff**skb,in_dev,out_dev,int(*okfn)(struct
sk_buff*)))
 Hooknum: the hook point where the function registered

 skb: a reference to the packet

 In_dev,outdev: net device this packet is from/to

 Hook function returns one of the following:

NF_ACCEPT,NF_DROP,NF_STOLEN
NF_QUEUE,NF_REPEAT
19
Example
unsigned int
localin_handler
(unsigned int hook, struct sk_buff **skb,
const struct net_device *indev, const
struct net_device *outdev, int (*okfn) (struct sk_buff *))

{
struct iphdr *iphead = skb->nh.iph;

if ((iphead->protocol)== IPPROTO_TCP) //Drop all TCP packet

return NF_DROP;

}
20
Netfilter Hook implementation III
 Call this function to register at the hook
 int nf_register_hook(struct nf_hook_ops *reg)
 void nf_unregister_hook(struct nf_hook_ops *reg)
#include …
static int __init
init (void){
return nf_register_hook (&localin_ops);
}
static void __exit
fini (void){
return nf_unregister_hook (&localin_ops);
}
module_init (init);
module_exit (fini);
 Compile it and insmod 21
Conclusion
 Netfilter is a glue code between the
protocol hooks and the kernel function
modules
 Iptables is useful to set our firewall
 Provide a simple way to hack packet

22
Reference
 http://lxr.linux.no/source
 http://www.netfilter.org/
 http://www.knowplace.org/netfilter/
 http://www.linuxguruz.org/iptables/howto/iptables-HOWTO.html
 http://www.kernel.org
 http://www.faqs.org/docs/kernel/
 http://www.tldp.org/HOWTO/Module-HOWTO/
 http://netfilter.kernelnotes.org/unreliable-guides
 http://www.linuxhq.com/lkprogram.html
 http://gnumonks.org/papers/netfilter-lk2000/presentation.html
 The Linux Kernel Module Programming Guide
 …..

23