Basic iptables

Introduction

Kubernetes kube-proxy provides the important role to work with Service resource. kube-proxy will create and define iptables rules to manipulate the network traffic for the service resource. iptables is a Linux firewall.

In this article, we will introduce very basic iptables concepts: tables, chains and targets. Tables are files are join similar actions. There are several build-in tables. Chains are the set of rules. Rules are statements about what to do with the network package. Each rule contain one target. Targets are a decision or action of what to do. One target can point to a chain.

iptables -t nat -L -v
...

Chain PREROUTING (policy ACCEPT 415 packets, 33761 bytes)
 pkts bytes target     prot opt in     out     source               destination
 5392  456K KUBE-SERVICES  all  --  any    any     anywhere             anywhere     /* kubernetes service portals */
   10   624 DOCKER     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  docker0 any     anywhere             anywhere

...

iptables Targets

The most targets are ACCEPT, DROP, REJECT. However, there are many other targets which can be used in various cases.

ACCEPT: this rule accepts the packets to come through the iptables firewall.
CLASSIFY: it can be used to classify packets in such a way that can be used by a couple of different qdiscs (Queue Disciplines).
DSCP: it is able to set any DSCP value inside a TCP packet, which is a way of telling routers the priority of the packet in question.
DNAT: it is used to do Destination Network Address Translation, which means that it is used to rewrite the Destination IP address of a packet.
DROP: it drops the package which is not matched against any further chain.
QUEUE: it will pass the packet to the userspace.
ECN: it can be used to reset the ECN bits from the IPv4 header, or to put it correctly, reset them to 0 at least.
RETURN: it sends the packet back to the originating chain so you can match it against other rules.
REJECT: it rejects a packet and sends an error to the connecting device.
LOG: it is specially designed for logging detailed information about packets.
MARK: it is used to set Netfilter mark values that are associated with specific packets.
MASQUERADE: it is used basically the same as the SNAT target, but it does not require any –to-source option.
MIRROR: it is an experimental and demonstration target only, and you are warned against using it, since it may result in really bad loops hence, among other things, resulting in serious Denial of Service. [1]
NETMAP: it is a new implementation of the SNAT and DNAT targets where the host part of the IP address isn’t changed.
REDIRECT: it is used to redirect packets and streams to the machine itself.
SAME: it works almost in the same fashion as the SNAT target, but it still differs.
SNAT: it is used to do Source Network Address Translation, which means that this target will rewrite the Source IP address in the IP header of the packet.
TCPMSS: it can be used to alter the MSS (Maximum Segment Size) value of TCP SYN packets that the firewall sees.
TOS: it is used to set the Type of Service field within the IP header.
TTL: it is used to modify the Time To Live field in the IP header. One useful application of this is to change all Time To Live values to the same value on all outgoing packets.
ULOG target is used to provide user-space logging of matching packets.

We also provide some examples to illustrate how iptables works for each service.

MARK example


Chain KUBE-MARK-MASQ (45 references)
 pkts bytes target     prot opt in     out     source               destination
 6614  621K MARK       all  --  any    any     anywhere             anywhere             MARK or 0x4000

Chain KUBE-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
 6468  612K MASQUERADE  all  --  any    any     anywhere             anywhere             /* kubernetes service traffic requiring SNAT */ mark match 0x4000/0x4000

MASQUERADE

The MASQUERADE target is always put into POSTROUTING chain to hide the source IP address. (SNAT)


Chain POSTROUTING (policy ACCEPT 5000 packets, 324K bytes)
 pkts bytes target     prot opt in     out     source               destination
43268 3538K KUBE-POSTROUTING  all  --  any    any     anywhere             anywhere             /* kubernetes postrouting rules */

DNAT

DNAT is used to do Destination Network Address Translation, which means that it is used to rewrite the Destination IP address of a packet. One concept in firewall is virtual IP (VIP), which exposes internal service IP address to external network.


Chain KUBE-SEP-MOMZQBEI6PSIABOH (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 KUBE-MARK-MASQ  all  --  any    any     ip-172-28-5-61.ec2.internal  anywhere
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere     tcp to:172.28.5.61:53

iptables Tables

Generally, iptables contains five build-in tables:

Filter: Filter table has three default chains: INPUT, OUTPUT and FORWARD
NAT: NAT table has tree default chains: PREROUTING, OUTPUT and POSTROUTING.
Mangle: Mangle table adjusts the IP header properties of packets. Mangle table is for specialized packet alteration. This alters QOS bits in the TCP header. Mangle table has the following built-in chains.
Raw: Raw table is for configuration exemptions. Raw table has the following built-in chains: PREROUTING and OUTPUT.
Security table

When a network packet is coming in, iptables finds the appropriate table, then runs it through the chain of rules until it finds a match.

The following diagram shows how iptables traverse each tables and chains.

Reference

[1] Iptables Tutorial 1.2.1

iptables Basic