0 - introduction/definition: Firewalls, Proxies, Packet Filters - present myself and my function within the netfilter coreteam - what is a firewall - packet filters at networking layer - inspect each packet and make a choice based on the packet - traditionally don't know about connections (== layer 4) - advantage: fast, transparent - disadvantage: filtering limited to l3+l4 (sometimes l2) - proxies at application layer - terminate two connections (client->proxy and proxy->server) - advantage: can base policy decision on application protocol - disadvantage: not transparent at all (not even transparent proxies) - result: both of them have their application. - history of linux packet filtering - ipfwadm (2.0) - ipchains (2.2) - iptables (2.4+2.6) - pkttables (2.6+) - iptables was developed together with netfilter in the 2.3.x kernel series 1 - Why a free software firewall? - the internet was built on free/open standards and software - security relevant open sourcecode gets more auditing because more people read it (and thus report bugs) - users can put more trust in FOSS, since they can check for hidden backdoors - packet filters are used like routers. They are core infrastructure of the internet. Infrastructure should be open/free for the public, just like roads. - Everybody should be able to learn and understand how packet filtering works - Infrastructure should not depend on monopolistic companies. - problem if company goes bankrupt - dependent on 'upgrade pressure' and future license changes - no possibility to adopt it to new standards if vendor doesn't want to support it 2 - What can you do with netfilter/iptables - stateless packet filtering - matches: mac, src/dst ip, src/dst port, - stateful packet filtering by using connection tracking - keeps state table about all ongoing connections - supports l4 TCP,UDP,ICMP,GRE,PPTP - supports l5+ complex protocols like ftp,pptp,h323,talk,... - IP accounting (every rule has a packet/byte counter) - Network Adress Translation (NAT/NAPT) - Stateful, based on Connection tracking - Source NAT / Masquerading - Destination NAT / Redirect - 1:1 NAT of whole networks (NETMAP) - supports l5+ complex protocols like ftp,pptp,h323,talk,... - Packet Mangling - Clamp TCP MSS to PMTU - Manipulate packet header (TTL, ECN, DSCP, ...) - Combine with policy routing / traffic shaping systems - stateless IPv6 packet filtering using ip6tables 3 - Who is behind the project? How to get involved? - started by Paul 'Rusty' Russell from Australia (co-author of ipchains) - Marc Boucher (Canada) and James Morris (Australia) dropped in - Harald Welte (Germany), Jozsef Kadlecsik (Hungary), Martin Josefsson (Sweden) joined coreteam - Countless contributions from hundreds of poeple all over the world - used to keep a scoreboard, but it was eating too much time - Project internet presence: - HTTP (www.netfilter.org) - FTP (ftp.netfilter.org) - RSYNC (rsync.netfilter.org) - CVS (pserver.netfilter.org) - 5 mailinglists (lists.netfilter.org) - Bugzilla (bugzilla.netfilter.org) - CVSweb (http://cvs.netfilter.org) - Anybody can contribute, as long as the contribution is GPL licensed - development happens on netfilter-devel@lists.netfilter.org - user questions belong to netfilter@lists.netfilter.org - security relevant findings to coreteam@netfilter.org Iptables is used by a lot of commercial [and also proprietary] products. Companies like Astaro and Smoothwall are offering iptables-based firewall appliances. Other companies (like Linksys, Belkin, ...) are embedding iptables into their wavelan access points - and users don't even know that they are using iptables.