diff options
Diffstat (limited to 'netfilter/netfilter-slides.mgp')
-rw-r--r-- | netfilter/netfilter-slides.mgp | 443 |
1 files changed, 443 insertions, 0 deletions
diff --git a/netfilter/netfilter-slides.mgp b/netfilter/netfilter-slides.mgp new file mode 100644 index 0000000..c94be25 --- /dev/null +++ b/netfilter/netfilter-slides.mgp @@ -0,0 +1,443 @@ +%include "default.mgp" +%default 1 bgrad +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +%nodefault +%back "blue" + +%center +%size 7 + + +The netfilter framework in Linux 2.4 + + +%center +%size 4 +by + +Harald Welte <laforge@gnumonks.org> + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter in Linux 2.4 +Contents + + Introduction + + PART I - Netfilter basics / concepts + + Part II - Packet filtering using iptables and netfilter + + Part III - NAT using iptables and netfilter + + Part IV - Packet mangling using iptables and netfilter + + Advanced netfilter concepts + + Current development and Future + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter in Linux 2.4 +Introduction + +What is netfilter + + More than a firewall subsystem + + Generalized Framework (protocol independend) + + Hooks in the Network stack + + Multiple kernel modules can register with each of the hooks + + Asynchronous packet handling in userspace + + IP Tables, usable for any module + +Traditional packet filtering / NAT / ... implemented on top of this framework + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter in Linux 2.4 +Introduction + +Why did we need netfilter + + No infrastructure for passing packets to userspace + + Transparent proxying extremely difficult + + Packet filter rules depend on interface addresses + + Masquerading and packet filtering not implemented seperately + + Code too complex + + Neither modular nor extensible +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter in Linux 2.4 +Introduction + +Authors of netfilter + Paul 'Rusty' Russell + co-author of ipchains in Linux 2.2 + was paid by Watchguard for about one Year of development + now works for Linuxcare + + James Morris + userspace queuing (kernel, library and tools) + REJECT target + + Marc Boucher + NAT and packet filtering controlled by one comand + Mangle table + + Harald Welte + IRC conntrac+NAT helper + Userspace packet logging + IPv6 stuff + + Non-core team contributors + http://netfilter.kernelnotes.org/scoreboard.html +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter in Linux 2.4 +PART I - Netfilter basics + +Netfilter architecture in IPv4 +%font "typewriter" + + --->[1]--->[ROUTE]--->[3]--->[4]---> + | ^ + | | + | [ROUTE] + v | + [2] [5] + | ^ + | | + v | + +%font "standard" +1=NF_IP_PRE_ROUTING +2=NF_IP_LOCAL_IN +3=NF_IP_FORWARD +4=NF_IP_POST_ROUTING +5=NF_IP_LOCAL_OUT +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter in Linux 2.4 +PART I - Netfilter basics + +Netfilter base + + Any kernel module may register a callback function at any of the hooks + + The module has to return one of the following constants + + NF_ACCEPT continue traversal as normal + NF_DROP drop the packet, do not continue + NF_STOLEN I've taken over the packet do not continue + NF_QUEUE enqueue packet to userspace + NF_REPEAT call this hook again + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter in Linux 2.4 +PART I - Netfilter basics + +Packet selection using IP tables + + The kernel provides generic IP tables support + + Each kernel module may create it's own IP table + + The three major parts of 2.4 advanced packet handling are implemented using IP tables + + Packet filtering table 'filter' + + NAT table 'nat' + + Packet mangling table 'mangle' + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter in Linux 2.4 +PART II - packet filtering + +Overview + + Implemented on top of three netfilter hooks + + NF_IP_LOCAL_IN (packets destined for the local host) + NF_IP_FORWARD (packets forwarded by local host) + NF_IP_LOCAL_OUT (packets from the local host) + +%size 4 +On each of the three hooks we register one chain (INPUT, FORWARD, OUTPUT) of the IP Table 'filter' + +Each packet passes exactly one of the three chains. Note that this is very different compared to the old 2.2 ipchains behaviour. + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter in Linux 2.4 +PART II - packet filtering + +Managing chains and tables + +Each rule in a chain consists out of + match (which packet match this rule) + target (what to do if the rule is matched) + +%size 4 +matches and targets can either be builtin or implemented as kernel modules + +%size 6 +The userspace tool iptables is very flexible + handles all different kinds of IP tables + supports a plugin/shlib interface for target / match specific options + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter in Linux 2.4 +PART II - packet filtering + +Basic iptables commands + +To build a complete iptable command, we must specify + which table to work with + which chain in this table to use + an operation (insert, add, delete, modify) + a match + a target + +The syntax is +%font "typewriter" +%size 3 +iptables -t table -Operation chain -j target match(es) +%font "standard" +%size 5 + +Example: +%font "typewriter" +%size 3 +iptables -t filter -A INPUT -j ACCEPT -p tcp --dport smtp +%font "standard" +%size 5 + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter in Linux 2.4 +PART II - packet filtering + +Targets + + Builtin Targets to be used in filter table + ACCEPT accept the packet + DROP silently drop the packet + QUEUE enqueue packet to userspace + RETURN return to previous (calling) chain + foobar user defined chain + +Targets implemented as loadable modules + REJECT drop the packet but inform sender + MIRROR change source/destination IP and resend + LOG log via syslog + ULOG log via userspace + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter in Linux 2.4 +PART II - packet filtering + +Matches + + Basic matches + -p protocol (tcp/udp/icmp/...) + -s source address (ip/mask) + -d destination address (ip/mask) + -i incoming interface + -o outgoing interface + + Match extensions + --dport destination port + --sport source port + --mac-source source MAC address + --mark nfmark + --tos TOS field of IP header + --ttl TTL field of IP header + --limit rate limiting (n packets per timeframe) + --owner owner uid of the socket sending the packet + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter in Linux 2.4 +PART III - NAT + +Overview + + Previous Linux Kernels only implemented one special case of NAT: Masquerading + + Netfilter enables Linux to do any kind of NAT. + + All matches from packet filtering are available for the nat tables, too + + We divide NAT into 'source NAT' and 'destination NAT' + + SNAT changes the packet's source whille passing NF_IP_POST_ROUTING + + DNAT changes the packet's destination while passing NF_IP_PRE_ROUTING + + MASQUERADE is a special case of SNAT + + REDIRECT is a special case of DNAT + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter in Linux 2.4 +PART III - NAT + +Source NAT + + SNAT Example: +%font "typewriter" +%size 3 + +iptables -t nat -A POSTROUTING -j SNAT --to-source 1.2.3.4 -s 10.0.0.0/8 +%font "standard" +%size 4 + +Masquerading does almost the same as SNAT, but if the outgoing interfaces' address changes (in case we have a dialup with dynamic ip), the new address is used. + + MASQUERADE Example: +%font "typewriter" +%size 3 + +iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0 +%font "standard" +%size 5 + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter in Linux 2.4 +PART III - NAT + +Destination NAT + + DNAT example: +%font "typewriter" +%size 3 + +iptables -t nat -A PREROUTING -j DNAT --to-destination 1.2.3.4:8080 -p tcp --dport 80 -i eth1 +%font "standard" +%size 4 + +REDIRECT is a special case of DNAT, which alters the destination to the address of the incoming interface. + + REDIRECT example: +%font "typewriter" +%size 3 + +iptables -t nat -A PREROUTING -j REDIRECT --to-port 3128 -i eth1 -p tcp --dport 80 +%font "standard" +%size 5 + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter in Linux 2.4 +PART IV - Packet mangling + + Change certain parts of a packet based on rules in IP tables + + Again all the matches available, as described in packet filtering section. + + Currently, the supported packet mangling targets are: + TOS manipulate the TOS bits + TTL set / increase / decrease TTL field + MARK change the nfmark field of the skb + +Simple example: +%font "typewriter" +%size 3 + +iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -p tcp --dport 80 + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter in Linux 2.4 +Advanced Netfilter concepts + + Connection tracking + + Implemented seperately from NAT + + Enables stateful filtering + + Implementation + hooks into NF_IP_PRE_ROUTING to track packets + hooks into NF_IP_POST_ROUTING and NF_IP_LOCAL_IN to drop information about connections which got filtered out + protocol modules (currently TCP/UDP/ICMP) + application helpers (currently FTP and IRC-DCC) + + Conntrack divides packets in the following four categories + NEW - would establish new connection + ESTABLISHED - part of already established connection + RELATED - is related to established connection + INVALID - (multicast, errors...) + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter in Linux 2.4 +Advanced Netfilter concepts + +%size 4 + Userspace logging + flexible replacement for old syslog-based logging + packets to userspace via multicast netlink sockets + easy-to-use library (libipulog) + plugin-extensible userspace logging daemon already available + + Queuing + reliable asynchronous packet handling + packets to userspace via unicast netlink socket + easy-to-use library (libipq) + experimental queue multiplex daemon (ipqmpd) + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter in Linux 2.4 +Current Development and Future + +Netfilter (although it proved very stable) is still work in progress. + +Areas of current development + infrastructure for conntrack/nat helpers in userspace + full TCP sequence number tracking + multicast support for connection tracking + more flexible matches (MAXCONN, ...) + more conntrack and NAT modules (RPC, SNMP, SMB, ...) + better IPv6 support (conntrack, more matches / targets) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter in Linux 2.4 +Availability of slides / Links + +The slides and the an according paper of this presentation are available at + http://www.gnumonks.org + +The netfilter homepage is mirrored at: + http://netfilter.samba.org + http://netfilter.kernelnotes.org + http://netfilter.filewatcher.org + +More documents / netfilter extensions (ulogd, ipqmpd, ...) + http://www.gnumonks.org/projects |