Routes and Rules

Routing and Filtering Network Traffic

A brief, high-level introduction to Linux networking architecture. Explains how the Linux kernel manipulates network traffic using a top-down approach and basic framework to route network traffic, and the tools available to manipulate network routes.

10,000 Foot View

Viewed from a high level, Linux network routing can be divided into two practical sections: routing policy process, and packet mangling. Together they provide a powerful combination of tools that exceed the capabilities of traditional table-based network routing systems. Yet, discussions on built-in Linux network and firewall architectures often generate considerable confusion.  Why?

When I began researching Linux firewall architecture for a Virtual Private Network (VPN) application, I was stunned by how difficult it was to find answers to basic, high level questions. While I found an abundance of low-level troubleshooting and configuration information, I needed to begin my analysis from a higher viewpoint. Ultimately, I ended up writing a guide on Linux networking simply because I didn't want to repeat the process in the future. Good documentation seemed like the best way to ensure that was the case.

Oh Packet, Wherefore art thou?

When the Linux kernel has an outgoing data packet destined for a network device, how does it determine where to send the packet? When the Linux kernel receives a data packet from another device, how does it determine what to do with it? To create a “smart” network routing system, you will need to grasp a few basic concepts of how Linux disseminates and processes network traffic. It's difficult to know where to begin. Linux networking is very complex, which is why there are so many discussions of the subject.

As an introduction to Linux networking, I'll layout a top-down approach and basic framework for you. Hopefully, this will clarify things and make the process easier to understand. To manipulate your network traffic at will – such as choosing which traffic passes through a VPN and which does not – you need to understand how the Linux kernel routes network traffic, and the tools available to manipulate network routes.

First, by default, all network traffic is permitted. One can imagine how that is not an ideal approach under many circumstances. Developing a comprehensive plan for managing your network traffic - even for a stand-alone server - is not straightforward in Linux. You have two primary paths available to you: filtering and routing. You may choose to use one or the other, or both. Let's be clear on what 'filtering' and 'routing' mean when it comes to networking. Filtering is the manipulation or modifying of network packets coming into or leaving your server. A firewall is the best example I can think of to represent a filter. That's all a firewall does is filtering. Routing refers to the pathways packets may take when leaving your server. Network traffic is sent out on "routes." A route is a conduit to one or more other network devices.

The core of Ubuntu's filtering mechanism is netfilter - Linux' firewall. Ubuntu uses two common Linux application layers on top of netfilter called iptables and ip route. Netfilter itself has two components: an API (Application Programming Interface) with hooks to the kernel, and underlying network architecture code.

A completely independent tool in Ubuntu called ufw ("Uncomplicated FireWall") may also be used to manipulate netfilter. Ufw is a front-end for iptables. Some people find ufw easier to work with than iptables, but I'll be teaching you how to use the latter. Why? Yes, it's more complicated, but the upside is you'll get a better idea of what you are doing when manipulating packet data.

Figure 1: NetFilter Topology

So, what’s the net benefit for you?

There are two portions to packet networking in Linux: routing and filtering. The routing process is a map of your network. Routes determine possible paths where a packet may be sent. It is the where in networking. You may think of it as a postal system, where a device’s address on the network is similar to the address of a building in the postal service delivery system. Routing has to do with where things are going and where they came from.

Filtering governs what and how data is sent via a route. In the postal system analogy, filtering is concerned with what is being transported; the packet. Netfilter handles most of the packet mangling. Its scope is limited to packet manipulation. It doesn't cause a packet to move in or out of the server, and doesn't understand network topography like the routing process. On-the-other-hand, the routing process can only choose which path a packet takes based on a limited amount of information.