Week 14 - Netfilter / nftables / iptables, IPVS

14.1 Conceptual Core

• iptables is being phased out in favor of nftables, the in-kernel successor. Both program the netfilter hooks.
• IPVS (IP Virtual Server) is the kernel-level L4 load-balancer used by kube-proxy (ipvs mode) and many appliance-style LBs. Three modes: NAT, DR (direct return), TUN.
• The decision matrix: simple SNAT/DNAT/firewall → nftables. L4 LB at scale → IPVS. L7 LB → userspace (Envoy, Nginx, HAProxy).

14.2 Mechanical Detail

• nftables tables: families ip, ip6, inet, arp, bridge, netdev. Tables contain chains; chains contain rules; rules match and act.
• The standard pattern for a host firewall:

  table inet filter {
      chain input {
          type filter hook input priority 0; policy drop;
          ct state established,related accept
          iif lo accept
          tcp dport 22 accept
          icmp type echo-request accept
      }
      chain forward { type filter hook forward priority 0; policy drop; }
      chain output { type filter hook output priority 0; policy accept; }
  }
  

• IPVS: configured via ipvsadm. A virtual service has a VIP+port, a scheduling algorithm (rr, wrr, lc, wlc, sh source-hash), and real servers.
• conntrack-tools for inspecting and manipulating the conntrack table; conntrackd for HA replication.

14.3 Lab-"Build a Stateful Firewall and a Load Balancer"

1. Convert an existing iptables ruleset to nftables. Verify equivalence with packet probes.
2. Set up IPVS-DR: VIP with two real servers; load test with wrk. Compare with HAProxy on the same setup.
3. Saturate the conntrack table on purpose; observe nf_conntrack: table full, dropping packet in dmesg. Tune nf_conntrack_max.

14.4 Hardening Drill

• Default-deny INPUT and FORWARD policies. Document the allowed flows. Ship the nftables ruleset as part of the host's idempotent provisioning.

14.5 Performance Tuning Slice

• Compare iptables vs nftables vs IPVS per-packet overhead with perf stat on a packet-flood workload.

Comments