import of old now defunct presentation slides svn repo

2 files changed, 516 insertions, 0 deletions

diff --git a/2002/netfilter-knf2002/abstract b/2002/netfilter-knf2002/abstract
new file mode 100644
index 0000000..bf43544
--- /dev/null
+++ b/2002/netfilter-knf2002/abstract
@@ -0,0 +1,50 @@
+Firewalling mit netfilter/iptables unter Linux 2.4.x
+
+Der Linux 2.4.x Kernel bietet eine fortgeschrittene Infrastruktur, genannt
+netfilter, auf deren Basis ein Paketfilter, NAT und sonstige
+Paket-Manipulationen implementiert sind.
+
+Das gesamte Firewalling-Subsystem wurde gegenueber Kernel 2.2.x neu entwickelt.
+Das netfilter/iptables System laesst alles bisher unter Linux existierende
+(ipfwadm, ipchains) wie aus grauer Vorzeit erscheinen.
+
+netfilter/iptables bietet neben dem traditionellen Paketfilter auch optional
+Connection Tracking, mittels dessen sich im Handumdrehen eine Stateful
+Firewall realisieren laesst.  Auch das NAT (Network Address Translation)
+System ist jetzt flexibel genug, um saemtliche Formen von NAT anbieten
+zu koennen: source NAT, destination NAT, static NAT, NAPT, ...
+
+Die hohe Modularitaet resultiert in einer sehr leichten Erweiterbarkeit,
+so dass in einfacher Weise neue Erweiterungen zum Firewalling-System 
+entwickelt werden koennen.
+
+Der Vortrag beschreibt die unterschiedlichen Teile des netfilter/iptables
+Systems und gibt dadurch einen Ueberblick ueber dessen Moeglichkeiten und 
+Anwendungsszenarien.  Er beschaeftigt sich mit den folgenden Themen:
+
+- netfilter/iptables architektur
+	- netfilter hooks im Netzwerk-Stack
+	- IP tables als Regelbeschreibung
+- Paketfilter
+- Connection Tracking
+- Network Address Translation
+	- source NAT
+	- destination NAT
+	- Masquerading
+	- transparent proxy support
+- Packet mangling
+- Userspace packet queuing
+- Userspace packet logging
+
+
+Voraussetzungen:
+- Wissen ueber TCP/IP, Routing
+- Grundlagen ueber Firewalling (insbesondere Paketfilter)
+- Gewisse Grundkenntnisse ueber die Linux/Unix Architektur
+
+
+Ueber den Vortragenden:
+Harald Welte ist seit 1995 aktives KNF-Mitglied und der derzeitige 
+stellvertretende Technische Kontakt des KNF.  Er ist der Maintainer des
+netfilter/iptables Firewalling-Subsystems im Linux 2.4.x und
+2.5.x Kernel und war massgeblich an dessen Entwicklung beteiligt.
diff --git a/2002/netfilter-knf2002/netfilter-knf2002.mgp b/2002/netfilter-knf2002/netfilter-knf2002.mgp
new file mode 100644
index 0000000..4523dd3
--- /dev/null
+++ b/2002/netfilter-knf2002/netfilter-knf2002.mgp
@@ -0,0 +1,466 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+The netfilter/iptables framework in 
+Linux 2.4.x
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@gnumonks.org>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables in Linux 2.4
+Contents
+
+
+	Introduction
+	Netfilter hooks in protocol stacks
+	Packet selection based on IP Tables
+	The Connection Tracking Subsystem
+	The NAT Subsystem based on netfilter + iptables 
+	Packet filtering using the 'filter' table
+	Packet mangling using the 'mangle' table
+	Advanced netfilter concepts
+	Current development and Future
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+netfilter/iptables in Linux 2.4
+Introduction
+
+Why did we need netfilter/iptables?
+Because ipchains...
+
+		has no infrastructure for passing packets to userspace
+		makes transparent proxying extremely difficult
+		has interface address dependent Packet filter rules
+		has Masquerading implemented as part of packet filtering
+		code is too complex and intermixed with core ipv4 stack
+		is neither modular nor extensible
+		only barely supports one special case of NAT (masquerading)
+		has only stateless packet filtering
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables in Linux 2.4
+Introduction 
+
+Who's behind netfilter/iptables
+		Paul 'Rusty' Russel
+			co-author of iptables in Linux 2.2
+			was paid by Watchguard for about one Year of development
+		James Morris
+			userspace queuing (kernel, library and tools)
+			REJECT target
+		Marc Boucher
+			NAT and packet filtering controlled by one command
+			Mangle table
+		Harald Welte 
+			Conntrack+NAT helper infrastructure (newnat)
+			Userspace packet logging (ULOG)
+			PPTP and IRC conntrack/NAT helpers
+		Jozsef Kadlecsik
+			TCP window tracking
+			H.323 conntrack + NAT helper
+			Continued newnat development
+		Non-core team contributors
+			http://www.netfilter.org/scoreboard/
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables in Linux 2.4
+Netfilter Hooks
+
+What is netfilter?
+
+		System of callback functions within network stack
+		Callback function to be called for every packet traversing certain point (hook) within network stack
+		Protocol independent framework
+		Hooks in layer 3 stacks (IPv4, IPv6, DECnet, ARP)
+		Multiple kernel modules can register with each of the hooks
+		Asynchronous packet handling in userspace (ip_queue)
+
+Traditional packet filtering, NAT, ... is implemented on top of this framework
+
+Can be used for other stuff interfacing with the core network stack, like DECnet routing daemon.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables in Linux 2.4
+Netfilter Hooks
+
+Netfilter architecture in IPv4
+%font "courier"
+
+   --->[1]--->[ROUTE]--->[3]--->[4]--->
+                 |            ^
+                 |            |
+                 |         [ROUTE]
+                 v            |
+                [2]          [5]
+                 |            ^
+                 |            |
+                 v            |
+
+%font "standard"
+1=NF_IP_PRE_ROUTING
+2=NF_IP_LOCAL_IN
+3=NF_IP_FORWARD
+4=NF_IP_POST_ROUTING
+5=NF_IP_LOCAL_OUT
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables in Linux 2.4
+Netfilter Hooks
+
+Netfilter Hooks
+
+	Any kernel module may register a callback function at any of the hooks
+
+	The module has to return one of the following constants
+
+		NF_ACCEPT	 continue traversal as normal
+		NF_DROP		 drop the packet, do not continue
+		NF_STOLEN	 I've taken over the packet do not continue
+		NF_QUEUE	 enqueue packet to userspace
+		NF_REPEAT	 call this hook again
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables in Linux 2.4
+IP tables
+
+Packet selection using IP tables
+
+		The kernel provides generic IP tables support
+
+		Each kernel module may create it's own IP table
+
+		The three major parts of 2.4 firewalling subsystem are implemented using IP tables
+			Packet filtering table 'filter'
+			NAT table 'nat'
+			Packet mangling table 'mangle'
+
+		Can potentially be used for other stuff, i.e. IPsec SPDB
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables in Linux 2.4
+IP Tables
+
+Managing chains and tables
+
+	An IP table consists out of multiple chains
+	A chain consists out of a list of rules
+	Every single rule in a chain consists out of
+		match[es] (rule executed if all matches true)
+		target (what to do if the rule is matched)
+
+%size 4
+matches and targets can either be builtin or implemented as kernel modules
+
+%size 6
+	The userspace tool iptables is used to control IP tables
+		handles all different kinds of IP tables 
+		supports a plugin/shlib interface for target/match specific options
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables in Linux 2.4
+IP Tables
+
+Basic iptables commands
+
+	To build a complete iptables command, we must specify
+		which table to work with
+		which chain in this table to use
+		an operation (insert, add, delete, modify)
+		one or more matches (optional)
+		a target
+
+The syntax is
+%font "typewriter"
+%size 3
+iptables -t table -Operation chain -j target match(es)
+%font "standard"
+%size 5
+
+Example:
+%font "typewriter"
+%size 3
+iptables -t filter -A INPUT -j ACCEPT -p tcp --dport smtp
+%font "standard"
+%size 5
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables in Linux 2.4
+IP Tables
+
+Matches
+		Basic matches
+			-p			protocol (tcp/udp/icmp/...)
+			-s			source address (ip/mask)
+			-d			destination address (ip/mask)
+			-i			incoming interface
+			-o			outgoing interface
+
+		Match extensions (examples)
+			tcp/udp		TCP/udp source/destination port
+			icmp			ICMP code/type
+			ah/esp		AH/ESP SPID match
+			mac		 	source MAC address
+			mark 		nfmark
+			length		match on length of packet
+			limit			rate limiting (n packets per timeframe)
+			owner	 	owner uid of the socket sending the packet
+			tos			TOS field of IP header
+			ttl			TTL field of IP header
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables in Linux 2.4
+IP Tables
+
+Targets 
+	very dependent on the particular table.
+
+	Table specific targets will be discussed later
+
+	Generic Targets, always available
+		ACCEPT		accept packet within chain
+		DROP		silently drop packet
+		QUEUE		enqueue packet to userspace
+		LOG		log packet via syslog
+		ULOG		log packet via ulogd
+		RETURN		return to previous (calling) chain
+		foobar		jump to user defined chain
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+netfilter/iptables in Linux 2.4
+Packet Filtering
+
+Overview
+
+	Implemented as 'filter' table
+	Registers with three netfilter hooks
+
+		NF_IP_LOCAL_IN (packets destined for the local host)
+		NF_IP_FORWARD (packets forwarded by local host)
+		NF_IP_LOCAL_OUT (packets from the local host)
+
+Each of the three hooks has attached one chain (INPUT, FORWARD, OUTPUT)
+
+Every packet passes exactly one of the three chains. Note that this is very different compared to the old 2.2.x ipchains behaviour.
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables in Linux 2.4
+Packet Filtering
+
+Targets available within 'filter' table
+
+	Builtin Targets to be used in filter table
+		ACCEPT	accept the packet
+		DROP	silently drop the packet 
+		QUEUE	enqueue packet to userspace
+		RETURN	return to previous (calling) chain
+		foobar	user defined chain
+
+	Targets implemented as loadable modules 
+		REJECT	drop the packet but inform sender
+		MIRROR	change source/destination IP and resend
+		LOG  	log via syslog
+		ULOG	log via userspace
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables in Linux 2.4
+Connection Tracking Subsystem
+
+	Connection tracking...
+
+		implemented seperately from NAT 
+		enables stateful filtering 
+		implementation
+			hooks into NF_IP_PRE_ROUTING to track packets
+			hooks into NF_IP_POST_ROUTING and NF_IP_LOCAL_IN to see if packet passed filtering rules
+			protocol modules (currently TCP/UDP/ICMP)
+			application helpers currently (FTP,IRC,H.323,talk,SNMP)
+		divides packets in the following four categories
+			NEW - would establish new connection
+			ESTABLISHED - part of already established connection
+			RELATED - is related to established connection
+			INVALID - (multicast, errors...)
+		does _NOT_ filter packets itself
+		can be utilized by iptables using the 'state' match 
+		is used by NAT Subsystem
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables in Linux 2.4
+Network Address Translation
+
+Overview
+
+		Previous Linux Kernels only implemented one special case of NAT: Masquerading
+		Linux 2.4.x can do any kind of NAT.
+		NAT subsystem implemented on top of netfilter, iptables and conntrack
+		NAT subsystem registers with all five netfilter hooks
+		'nat' Table registers chains PREROUTING, POSTROUTING and OUTPUT
+		Following targets available within 'nat' Table
+			SNAT changes the packet's source whille passing NF_IP_POST_ROUTING
+			DNAT changes the packet's destination while passing NF_IP_PRE_ROUTING
+			MASQUERADE is a special case of SNAT
+			REDIRECT is a special case of DNAT
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables in Linux 2.4
+Network Address Translation
+
+	Source NAT
+		SNAT Example:
+%font "typewriter"
+%size 3
+iptables -t nat -A POSTROUTING -j SNAT --to-source 1.2.3.4 -s 10.0.0.0/8
+%font "standard"
+%size 4
+
+		MASQUERADE Example:
+%font "typewriter"
+%size 3
+iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0
+%font "standard"
+%size 5
+
+	Destination NAT
+		DNAT example
+%font "typewriter"
+%size 3
+iptables -t nat -A PREROUTING -j DNAT --to-destination 1.2.3.4:8080 -p tcp --dport 80 -i eth1
+%font "standard"
+%size 4
+
+		REDIRECT example
+%font "typewriter"
+%size 3
+iptables -t nat -A PREROUTING -j REDIRECT --to-port 3128 -i eth1 -p tcp --dport 80
+%font "standard"
+%size 5
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables in Linux 2.4
+Packet Mangling
+
+	Purpose of mangle table
+		packet manipulation except address manipulation
+
+	Integration with netfilter
+		'mangle' table hooks in all five netfilter hooks
+		priority: after conntrack
+
+	Targets specific to the 'mangle' table:
+		DSCP - manipulate DSCP field
+		IPV4OPTSSTRIP - strip IPv4 options
+		MARK - change the nfmark field of the skb
+		TCPMSS - set TCP MSS option
+		TOS - manipulate the TOS bits 
+		TTL - set / increase / decrease TTL field
+
+Simple example:
+%font "typewriter"
+%size 3
+iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -p tcp --dport 80
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables in Linux 2.4
+Advanced Netfilter concepts
+
+%size 4
+	Userspace logging
+		flexible replacement for old syslog-based logging
+		packets to userspace via multicast netlink sockets
+		easy-to-use library (libipulog)
+		plugin-extensible userspace logging daemon (ulogd)
+		Can even be used to directly log into MySQL
+
+	Queuing
+		reliable asynchronous packet handling 
+		packets to userspace via unicast netlink socket
+		easy-to-use library (libipq)
+		provides Perl bindings
+		experimental queue multiplex daemon (ipqmpd)
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables in Linux 2.4
+Current Development and Future
+
+Netfilter (although it proved very stable) is still work in progress. 
+
+	Areas of current development
+		infrastructure for conntrack manipulation from userspace
+		failover of stateful firewalls
+		making iptables layer3 independent (pkttables)
+		new userspace library (libiptables) to hide plugins from apps
+		more matches and targets for advanced functions (pool, hashslot)
+		more conntrack and NAT modules (RPC, SNMP, SMB, ...)
+		better IPv6 support (conntrack, more matches / targets)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables in Linux 2.4
+Thanks
+
+	Thanks to
+		the BBS people, Z-Netz, FIDO, ...
+			for heavily increasing my computer usage in 1992
+
+		KNF
+			for bringing me in touch with the internet as early as 1995
+			for providing a playground for technical people
+			for telling me about the existance of Linux!
+
+		Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+			for implementing (one of?) the world's best TCP/IP stacks
+
+		Paul 'Rusty' Russell
+			for starting the netfilter/iptables project
+			for trusting me to maintain it today
+
+		Linux User Group Nuernberg (ALIGN, LUG-N)
+			for helping me with my initial Linux problems
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables in Linux 2.4
+Availability of slides / Links
+
+The slides and the an according paper of this presentation are available at 
+	http://www.gnumonks.org/
+
+The netfilter homepage
+	http://www.netfilter.org/
+