From fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Sun, 25 Oct 2015 21:00:20 +0100 Subject: import of old now defunct presentation slides svn repo --- 2005/netfilter_administration-cluc2005/abstract | 25 + 2005/netfilter_administration-cluc2005/biography | 25 + .../netfilter_iptables-cluc2005.mgp | 559 +++++++++++++++++++++ 3 files changed, 609 insertions(+) create mode 100644 2005/netfilter_administration-cluc2005/abstract create mode 100644 2005/netfilter_administration-cluc2005/biography create mode 100644 2005/netfilter_administration-cluc2005/netfilter_iptables-cluc2005.mgp (limited to '2005/netfilter_administration-cluc2005') diff --git a/2005/netfilter_administration-cluc2005/abstract b/2005/netfilter_administration-cluc2005/abstract new file mode 100644 index 0000000..9643244 --- /dev/null +++ b/2005/netfilter_administration-cluc2005/abstract @@ -0,0 +1,25 @@ +Workshop about netfilter/iptables firewall administration + +Target audience: System and Network Administrators + +Prerequirements: Advanced knowledge about the TCP/IP protocol suite, general +GNU/Linux system adminstration skills. + +Goal: To give an in-depth introduction into the netfilter/iptables subsystem of +the Linux kernel. Given the information in this workshop, the audience should +be able to configure and use netfilter/iptables in an effective way. + +Table of contents: +- The history of the linux packet filter (ipfwadm, ipchains, iptables) +- netfilter: the hooks +- iptables: the packet matching system on top of netfilter + - general structure + - available targets + - available matches +- iptable_filter: Packet filtering +- iptable_mangle: Packet mangling +- ip_conntrack: Connection tracking on top of netfilter +- iptable_nat: Combining netfilter, iptables and ip_conntrack +- Practical examples of typical firewall rulesets +- The 10 commandments of how to break your network (the "don't do" part) +- Lots of time for questions & anwers diff --git a/2005/netfilter_administration-cluc2005/biography b/2005/netfilter_administration-cluc2005/biography new file mode 100644 index 0000000..165a4dc --- /dev/null +++ b/2005/netfilter_administration-cluc2005/biography @@ -0,0 +1,25 @@ + Harald Welte is a independent software developer and consultant[1] in the +fields of operating system development and network security, as well as +high-performance data communications and embedded computing. For a number of +years, he is the chairman of the netfilter/iptables[2] project, a Free Software +solution for Linux-based network firewalls. + + During the last six years, he has been contracted for projects by various +international companies of all industries, ranging from software vendors to +banks to manufacturers of networking gear. + + He licenses his software under the terms of the GNU GPL, and is determined to +bring all users, distributors, value added resellers and vendors of projects +based on his software in full compliance with the GPL, even if it includes +raising legal charges. + + Apart from his technical work, Harald is participating in a number of +non-for-profit organizations such as the CCC[3], FFII[4]. + + Mr. Welte is currently living in Berlin, Germany. + +[1] http://www.hmw-consulting.de/ +[2] http://www.netfilter.org/ +[3] http://www.ccc.de/ +[4] http://www.ffii.org/ + diff --git a/2005/netfilter_administration-cluc2005/netfilter_iptables-cluc2005.mgp b/2005/netfilter_administration-cluc2005/netfilter_iptables-cluc2005.mgp new file mode 100644 index 0000000..10a124b --- /dev/null +++ b/2005/netfilter_administration-cluc2005/netfilter_iptables-cluc2005.mgp @@ -0,0 +1,559 @@ +%include "default.mgp" +%default 1 bgrad +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +%nodefault +%back "blue" + +%center +%size 7 + + +netfilter/iptables tutorial + + +%center +%size 4 +by + +Harald Welte + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Contents + + + Introduction + Highly Scalable Linux Network Stack + Netfilter Hooks + Packet selection based on IP Tables + The Connection Tracking Subsystem + The NAT Subsystem + Packeet Mangling + Advanced netfilter concepts + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +The GNU GPL Revisited +Introduction + + +Who is speaking to you? + an independent Free Software developer + who earns his living off Free Software since 1997 + who is one of the authors of the Linux kernel firewall system called netfilter/iptables + who can claim to be the first to have enforced the GNU GPL in court + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Introduction + +Linux and Networking + Linux is a true child of the Internet + Early adopters: ISP's, Universities + Lots of work went into a highly scalable network stack + Not only for client/server, but also for routers + Features unheared of in other OS's + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Introduction + +Did you know, that a stock 2.6.x linux kernel can provide + + a stateful packet filter ? + fully symmetric NA(P)T ? + policy routing ? + QoS / traffic shaping ? + IPv6 firewalling ? + packet filtering, NA(P)T on a bridge ? + layer 2 (mac) address translation ? + packet forwarding rates of up to 2.1mpps ? + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Introduction + +Why did we need netfilter/iptables? +Because ipchains... + + has no infrastructure for passing packets to userspace + makes transparent proxying extremely difficult + has interface address dependent Packet filter rules + has Masquerading implemented as part of packet filtering + code is too complex and intermixed with core ipv4 stack + is neither modular nor extensible + only barely supports one special case of NAT (masquerading) + has only stateless packet filtering + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Introduction + +Who's behind netfilter/iptables + + The core team + Paul 'Rusty' Russel + co-author of iptables in Linux 2.2 + James Morris + Marc Boucher + Harald Welte + Jozsef Kadlecsik + Martin Josefsson + Patrick McHardy + Hundreds of Non-core team contributors + http://www.netfilter.org/scoreboard/ + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Netfilter Hooks + + What is netfilter? + + System of callback functions within network stack + Callback function to be called for every packet traversing certain point (hook) within network stack + Protocol independent framework + Hooks in layer 3 stacks (IPv4, IPv6, DECnet, ARP) + Multiple kernel modules can register with each of the hooks + +Traditional packet filtering, NAT, ... is implemented on top of this framework + +Can be used for other stuff interfacing with the core network stack, like DECnet routing daemon. + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Netfilter Hooks + +Netfilter architecture in IPv4 +%font "typewriter" +%size 4 + --->[1]--->[ROUTE]--->[3]--->[4]---> + | ^ + | | + | [ROUTE] + v | + [2] [5] + | ^ + | | + v | +%font "standard" +1=NF_IP_PRE_ROUTING +2=NF_IP_LOCAL_IN +3=NF_IP_FORWARD +4=NF_IP_POST_ROUTING +5=NF_IP_LOCAL_OUT + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Netfilter Hooks + +Netfilter Hooks + + Any kernel module may register a callback function at any of the hooks + + The module has to return one of the following constants + + NF_ACCEPT continue traversal as normal + NF_DROP drop the packet, do not continue + NF_STOLEN I've taken over the packet do not continue + NF_QUEUE enqueue packet to userspace + NF_REPEAT call this hook again + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +IP tables + + Packet selection using IP tables + + The kernel provides generic IP tables support + + Each kernel module may create it's own IP table + + The four major parts of the firewalling subsystem are implemented using IP tables + Packet filtering table 'filter' + NAT table 'nat' + Packet mangling table 'mangle' + The 'raw' table for conntrack exemptions + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +IP Tables + + Managing chains and tables + + An IP table consists out of multiple chains + A chain consists out of a list of rules + Every single rule in a chain consists out of + match[es] (rule executed if all matches true) + target (what to do if the rule is matched) + +%size 4 +matches and targets can either be builtin or implemented as kernel modules + +%size 5 + The userspace tool iptables is used to control IP tables + handles all different kinds of IP tables + supports a plugin/shlib interface for target/match specific options + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +IP Tables + +Basic iptables commands + + To build a complete iptables command, we must specify + which table to work with + which chain in this table to use + an operation (insert, add, delete, modify) + one or more matches (optional) + a target + +The syntax is +%font "typewriter" +%size 3 +iptables -t table -Operation chain -j target match(es) +%font "standard" +%size 5 + +Example: +%font "typewriter" +%size 3 +iptables -t filter -A INPUT -j ACCEPT -p tcp --dport smtp +%font "standard" +%size 5 + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +IP Tables + +Matches + Basic matches + -p protocol (tcp/udp/icmp/...) + -s source address (ip/mask) + -d destination address (ip/mask) + -i incoming interface + -o outgoing interface + + Match extensions (examples) + tcp/udp TCP/udp source/destination port + icmp ICMP code/type + ah/esp AH/ESP SPID match + mac source MAC address + mark nfmark + length match on length of packet + limit rate limiting (n packets per timeframe) + owner owner uid of the socket sending the packet + tos TOS field of IP header + ttl TTL field of IP header + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +IP Tables + +Targets + very dependent on the particular table. + + Table specific targets will be discussed later + + Generic Targets, always available + ACCEPT accept packet within chain + DROP silently drop packet + QUEUE enqueue packet to userspace + LOG log packet via syslog + ULOG log packet via ulogd + RETURN return to previous (calling) chain + foobar jump to user defined chain + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Packet Filtering + +Overview + + Implemented as 'filter' table + Registers with three netfilter hooks + + NF_IP_LOCAL_IN (packets destined for the local host) + NF_IP_FORWARD (packets forwarded by local host) + NF_IP_LOCAL_OUT (packets from the local host) + +Each of the three hooks has attached one chain (INPUT, FORWARD, OUTPUT) + +Every packet passes exactly one of the three chains. Note that this is very different compared to the old 2.2.x ipchains behaviour. + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Packet Filtering + +Targets available within 'filter' table + + Builtin Targets to be used in filter table + ACCEPT accept the packet + DROP silently drop the packet + QUEUE enqueue packet to userspace + RETURN return to previous (calling) chain + foobar user defined chain + + Targets implemented as loadable modules + REJECT drop the packet but inform sender + MIRROR change source/destination IP and resend + LOG log via syslog + ULOG log via userspace + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Connection Tracking Subsystem + + Connection tracking... + + implemented seperately from NAT + enables stateful filtering + implementation + hooks into NF_IP_PRE_ROUTING to track packets + hooks into NF_IP_POST_ROUTING and NF_IP_LOCAL_IN to see if packet passed filtering rules + protocol modules (currently TCP/UDP/ICMP) + application helpers currently (FTP,IRC,H.323,talk,SNMP) + divides packets in the following four categories + NEW - would establish new connection + ESTABLISHED - part of already established connection + RELATED - is related to established connection + INVALID - (multicast, errors...) + does _NOT_ filter packets itself + can be utilized by iptables using the 'state' match + is used by NAT Subsystem + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Network Address Translation + + Network Address Translation + + Previous Linux Kernels only implemented one special case of NAT: Masquerading + Linux 2.4.x / 2.6.x can do any kind of NAT. + NAT subsystem implemented on top of netfilter, iptables and conntrack + Following targets available within 'nat' Table + SNAT changes the packet's source whille passing NF_IP_POST_ROUTING + DNAT changes the packet's destination while passing NF_IP_PRE_ROUTING + MASQUERADE is a special case of SNAT + REDIRECT is a special case of DNAT + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Network Address Translation + + Source NAT + SNAT Example: +%font "typewriter" +%size 3 +iptables -t nat -A POSTROUTING -j SNAT --to-source 1.2.3.4 -s 10.0.0.0/8 +%font "standard" +%size 4 + + MASQUERADE Example: +%font "typewriter" +%size 3 +iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0 +%font "standard" +%size 5 + + Destination NAT + DNAT example +%font "typewriter" +%size 3 +iptables -t nat -A PREROUTING -j DNAT --to-destination 1.2.3.4:8080 -p tcp --dport 80 -i eth1 +%font "standard" +%size 4 + + REDIRECT example +%font "typewriter" +%size 3 +iptables -t nat -A PREROUTING -j REDIRECT --to-port 3128 -i eth1 -p tcp --dport 80 +%font "standard" +%size 5 + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Packet Mangling + + Purpose of mangle table + packet manipulation except address manipulation + + Integration with netfilter + 'mangle' table hooks in all five netfilter hooks + priority: after conntrack + + Targets specific to the 'mangle' table: + DSCP - manipulate DSCP field + IPV4OPTSSTRIP - strip IPv4 options + MARK - change the nfmark field of the skb + TCPMSS - set TCP MSS option + TOS - manipulate the TOS bits + TTL - set / increase / decrease TTL field + +Simple example: +%font "typewriter" +%size 3 +iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -p tcp --dport 80 + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Packet Mangling + + Purpose of mangle table + packet manipulation except address manipulation + Targets specific to the 'mangle' table: + DSCP - manipulate DSCP field + IPV4OPTSSTRIP - strip IPv4 options + MARK - change the nfmark field of the skb + TOS - manipulate the TOS bits + TTL - set / increase / decrease TTL field + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +The raw Table + + Purpose of mangle table + to allow for filtering rules _before_ conntrack + Targets specific to the 'raw' table: + NOTRACK - Don't do connection tracking + + The table can also be useful for flood protection rules that happen before traversing the (computational) expensive connection tracking subsystem. + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Advanced Netfilter concepts + +%size 4 + Userspace logging + flexible replacement for old syslog-based logging + packets to userspace via multicast netlink sockets + easy-to-use library (libipulog) + plugin-extensible userspace logging daemon (ulogd) + Can even be used to directly log into MySQL + + Queuing + reliable asynchronous packet handling + packets to userspace via unicast netlink socket + easy-to-use library (libipq) + provides Perl bindings + experimental queue multiplex daemon (ipqmpd) + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Advanced Netfilter concepts + + Firewalling on a Bridge (ebtables + iptables) + totally transparent to layer 2 and above + no attack vector since firewall has no IP address + even possible to do NAT on the bridge + or even NAT of MAC addresses + + ipset - Faster matching + iptables are a linear list of rules + ipset represents a 'group' scheme + Implements different data types for different applications + hash table (for random addresses) + bitmask (for let's say a /24 network) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Advanced Netfilter concepts + + Matches + account, addrtype, ah, childleve, comment, condition, connbytes, connlimit, connmark, connrate, conntrack, dscp, dstlimit, ecn, esp, fuzzy, hashlimit, helper, icmp, iprange, ipv4options, length, limit, mac, mark, mport, multiport, nth, osf, owner, physdev, pkttype, pool, psd, quota, random, realm, recent, record_rpc, rpc, sctp, set, standard, state, string, tcp, tcpmss, time, tos, ttl, u32, udp, unclean + + Targets + BALANCE, CLASSIFY, CLUSTERIP, CONNMARK, DNAT, DSCP, ECN, FTOS, IPMARK, IPV4OPTSSTRIP, LOG, MARK, MASQUERADE, MIRROR, NETLINK, NETMAP, NOTRACK, POOL, REDIRECT, REJECT, ROUTE, SAME, SET, SNAT, TARPIT, TCPLAG, TCPMSS, TOS, TRACE, TTL, ULOG, XOR + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Advanced Netfilter concepts + + ipv6 packet filtering + ip6tables almost identical to iptables + no connection tracking in mainline yet, but patches exist + ip6_tables + initial copy+paste 'port' by USAGI + was not accepted because of code duplication + nf_conntrack + generalized connection tracking, supports ipv4 and ipv6 + mutually exclusive with ip_conntrack + as of now, no ipv4 nat on to of nf_conntrack + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Linux Policy Routing + + Policy Routing (iproute2) + Allows routing decisions on arbitrary information + Provides up to 255 different routing tables within one system + By combining via nfmark with iptables, any matches of the packet filter can be used for the routing decision + Very useful in complex setups with mutiple links (e.g. multiple DSL uplinks with dynamic addresses, asymmetric routing, ...) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Linux Traffic Shaping + + Traffic Control (tc) + Framework for lots of algorithms like RED,SFQ,TBF,CBQ,CSZ,GRED,HTB + Very granular control, especially for very low bandwidth links + Present since Linux 2.2.x but still not used widely + Lack of documentation, but situation is improving (www.lartc.org) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +netfilter/iptables tutorial +Thanks + + Thanks to + the BBS scene, Z-Netz, FIDO, ... + for heavily increasing my computer usage in 1992 + KNF (http://www.franken.de/) + for bringing me in touch with the internet as early as 1994 + for providing a playground for technical people + for telling me about the existance of Linux! + Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen + for implementing (one of?) the world's best TCP/IP stacks + Paul 'Rusty' Russell + for starting the netfilter/iptables project + for trusting me to maintain it today + Astaro AG + for sponsoring parts of my netfilter work +%size 3 + The slides and the an according paper of this presentation are available at http://www.gnumonks.org/ +%size 3 -- cgit v1.2.3