Mark StevensExplanation of IP Tables Rules
The INPUT chain determines how to treat an IP packet coming in to the network adapter from the network. The OUTPUT chain determines how to treat an IP packet coming from with the device
The Chain will list each rule by protocol, source and destination address & port The target is a list of criteria to determine if the message should be handled by that target
The filter table is used to filter (ACCEPT,REJECT or DROP) packets There are three default chains defined for the filter table:
- The INPUT chain: Rules in this chain apply to packets just before they’re given to a local process.
- The OUTPUT chain: The rules here apply to packets just after they’ve been produced by a process.
- The FORWARD chain: The rules here apply to any packets that are routed through the current host.
A target must be applied to at least one of the above chains to be in use. A chain target that is not in use, but defined, may be used based on settings. For example, a wifi network may be configured with a quota or limited to certain hours. We do not use those settings or provide a means to configure them on our production tablets.
graph TD;
INPUT --> bw_input;
INPUT --> fw_INPUT;
FORWARD --> oem_fwd;
FORWARD --> fw_FORWARD;
FORWARD --> natctrl_FORWARD;
OUTPUT --> oem_out;
OUTPUT --> fw_OUTPUT;
OUTPUT --> st_OUTPUT;
OUTPUT --> bw_OUTPUT;Chain INPUT (policy ACCEPT)
target prot opt source destination
bw_INPUT all -- anywhere anywhere
fw_INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT)
target prot opt source destination
oem_fwd all -- anywhere anywhere
fw_FORWARD all -- anywhere anywhere
fw_FORWARD all -- anywhere anywhere
natctrl_FORWARD all -- anywhere anywhere Chain OUTPUT (policy ACCEPT)
target prot opt source destination
oem_out all -- anywhere anywhere
fw_OUTPUT all -- anywhere anywhere
st_OUTPUT all -- anywhere anywhere
bw_OUTPUT all -- anywhere anywhere Chain bw_FORWARD (1 references)
target prot opt source destination Chain bw_INPUT (1 references)
target prot opt source destination
all -- anywhere anywhere ! quota globalAlert: 2097152 bytes
all -- anywhere anywhere owner socket existsAllows incoming packets from tcp and udp ONLY if the socket was already created. Filter all high frequency packets to prevent overloads.
Chain bw_OUTPUT (1 references)
target prot opt source destination
all -- anywhere anywhere ! quota globalAlert: 2097152 bytes
all -- anywhere anywhere owner socket existsAllows outgoing packets from tcp and udp ONLY if the socket was already created. Filter all high frequency packets to prevent overloads.
Chain bw_costly_shared (0 references)
target prot opt source destination
bw_penalty_box all -- anywhere anywhere Chain bw_happy_box (0 references)
target prot opt source destination Chain bw_penalty_box (1 references)
target prot opt source destination Chain fw_FORWARD (1 references)
target prot opt source destination Chain fw_INPUT (1 references)
target prot opt source destination
fw_standby all -- anywhere anywhere Chain fw_OUTPUT (1 references)
target prot opt source destination
fw_standby all -- anywhere anywhere Chain fw_dozable (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere owner UID match 0-9999
DROP all -- anywhere anywhere Chain fw_standby (2 references)
target prot opt source destination Chain natctrl_FORWARD (1 references)
target prot opt source destination
DROP all -- anywhere anywhere Chain natctrl_tether_counters (0 references)
target prot opt source destination Chain oem_fwd (1 references)
target prot opt source destination Chain oem_out (1 references)
target prot opt source destination Chain st_OUTPUT (1 references)
target prot opt source destination Chain st_clear_caught (2 references)
target prot opt source destination Chain st_clear_detect (0 references)
target prot opt source destination
REJECT all -- anywhere anywhere connmark match 0x2000000/0x2000000 reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere connmark match 0x1000000/0x1000000
CONNMARK tcp -- anywhere anywhere u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0xffff0000=0x16030000&&0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x4&0xff0000=0x10000" CONNMARK or 0x1000000
CONNMARK udp -- anywhere anywhere u32 "0x0>>0x16&0x3c@0x8&0xffff0000=0x16fe0000&&0x0>>0x16&0x3c@0x14&0xff0000=0x10000" CONNMARK or 0x1000000
RETURN all -- anywhere anywhere connmark match 0x1000000/0x1000000
st_clear_caught tcp -- anywhere anywhere state ESTABLISHED u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0x0=0x0"
st_clear_caught udp -- anywhere anywhere Chain st_penalty_log (0 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK or 0x1000000
NFLOG all -- anywhere anywhere Chain st_penalty_reject (0 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere CONNMARK or 0x2000000
NFLOG all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable