Product SiteDocumentation Site

10.4.2. Internal Functions

The iptables module distributes a file to /etc/iptables/ called iptables-functions. This file contains a set of (bash) function definitions, of which some are general functions, others are specific (shortcut) functions, and yet other functions are for internal use only.
The following is a list of functions considered internal:
  • blacklist_chain()
    The blacklist_chain() function reinitializes the blacklist chain, used to literally blacklist IP addresses and networks.
    The function first clears and removes the blacklist chain from iptables, then reads /etc/iptables/ipt_blacklist for sources and destinations that you think require blacklisting. Iterating over the list, it populates the blacklist chain only to finally inserts a jump to the blacklist chain from the INPUT, FORWARD and OUTPUT chain in the filter table.
    As such, it is important that blacklist_chain() is called by the /etc/iptables/iptables script, before the rest of the iptables rules are inserted, but after trust_if() and whitelist_chain().
  • clear_chain()
    The clear_chain() takes two parameters of which one is mandatory, in order to perform the following actions:
    1. It sets the policy for the chain to ACCEPT.
    2. It flushes all the rules from the chain.
    The two parameters it takes are:
    1. The name of the chain. This parameter is mandatory.
    2. The name of the table. This parameter is optional, and can be either filter (default) or nat.
    The /etc/iptables/iptables script automatically calls clear_chain() through flush_all_chains(). As such, clear_chain() is considered an internal function.
  • create_chain()
    The create_chain() function is called to create all chains, which includes custom chains you may specify through /etc/iptables/ipt_chains_filter and /etc/iptables/ipt_chains_nat.
    The create_chain() takes two parameters, of which one is mandatory:
    1. The name of the chain. This parameter is mandatory.
    2. The name of the table. This parameter is optional, and can be either filter (default) or nat.
  • delete_chain()
    The delete_chain() function does exactly two things:
    1. It flushes the chain.
    2. It deletes the chain.
    The delete_chain() function is called through delete_obsolete_chains(), for each chain that is obsoleted (did exist but is not needed anymore). To this end, the delete_chain() function takes two parameters, of which one is mandatory:
    1. The name of the chain. This parameter is mandatory.
    2. The name of the table. This parameter is optional, and can be either filter (default) or nat.
  • delete_obsolete_chains()
    The delete_obsolete_chains() function deletes all chains that exist in the current running iptables configuration, but are not needed any longer. To such purpose, it lists all current chains except for the iptables standard chains, and determines whether they are still needed by reading /etc/iptables/ipt_chains_filter and /etc/iptables/ipt_chains_nat.
    For each of the non-default iptables chains in the current running iptables configuration, that does not exist in either of the aforementioned files, delete_obsolete_chains() calls delete_chain().
  • flush_all_chains()
    The flush_all_chains() function calls the clear_chain() function for all chains currently in iptables. It does so itself for chains INPUT, OUTPUT and FORWARD in the filter table, and for chains PREROUTING, POSTROUTING and OUTPUT in the nat table. Then, it calls delete_obsolete_chains().
  • flush_chain()
    The flush_chain() function is an alias for clear_chain().
  • read_chains_from_file()
    The read_chains_from_file() function is an aggregative function to read and execute the necessary actions for chains listed in /etc/iptables/ipt_chains_filter and /etc/iptables/ipt_chains_nat.
    As such, the read_chains_from_file() function is considered an internal function.
  • tcpflags_chain()
    The tcpflags_chain() function initializes a chain called tcpflags, that is specifically designed to counter-attack invalid TCP traffic. It checks for invalid combination of TCP flags, such as all TCP flags OFF, or all TCP flags turned OFF.
    The tcpflags_chain() is one of those functions you may want to reconsider when applying the iptables module to a High-availability cluster that concerns itself with networking (such as a H/A router or firewall).
    The tcpflags_chain() calls delete_chain() and create_chain() in order to make sure the chain is clean before starting to insert new rules.
    The result of the tcpflags_chain() function creating and populating the tcpflags chain in the filter table looks as follows: 
    # iptables -L tcpflags -n
Chain tcpflags (2 references)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x05/0x05
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x11/0x01
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x18/0x08
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x30/0x20
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW
  • trust_if()
    Sometimes, you require an entire network interface to be trusted. The trust_if() is there for this purpose. You control the interfaces that are to be trusted through /etc/iptables/ipt_trusted_ifs, from where the /etc/iptables/iptables script obtains the list of trusted interfaces.
    The trust_if() function adds any trusted inferface to the INPUT, FORWARD and OUTPUT chains of the filter table, in all directions. Additionally, it adds the interface name to the OUTPUT chain of the nat table.
    Usually, the loopback interface (lo) is such a trusted interface, which is the reason the default version of /etc/iptables/ipt_trusted_ifs shipped with this module contains lo already.
  • whitelist_chain()
    The whitelist_chain() function, similar to the blacklist_chain() function, creates a whitelist chain in the filter table, and inserts a jump target to the whitelist chain in the INPUT, FORWARD and OUTPUT chains.
    The function first clears and removes the whitelist chain from iptables, then reads /etc/iptables/ipt_whitelist for sources and destinations that you think require whitelisting. Iterating over the list, it populates the whitelist chain only to finally inserts a jump to the whitelist chain from the INPUT, FORWARD and OUTPUT chain in the filter table.