%include "default.mgp" %default 1 bgrad %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %nodefault %back "blue" %center %size 7 The netfilter/iptables project %center %size 4 by Harald Welte %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page The netfilter/iptables project Contents Introduction: Firewalls, Proxies, Packet Filters Why a free software firewall? What can you do with netfilter/iptables? Who is behind the project? How to get involved? %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page The netfilter/iptables project Introduction: Firewalls, Proxies, Packet Filters Firewalls are security gateways between networks Can be implemented in different ways, at different layers Packet filters at networking layer (3) inspect each packet and make decision based on the packet contents traditionally don't know about connections advantage: fast, transparent disadvantage: filtering limited to l3 and l4 headers Proxies at application layer (5-7) terminate two connections (client->proxy and proxy->server) advantage: can base decision on application protocol disadvantage: not transparent, need application support %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page The netfilter/iptables project Introduction: Firewalls, Proxies, Packet Filters However, the world is not that easy anymore since new techniques are blending those two concepts stateful packet filters keep state about existing connections/flows allow even state tracking beyond l4 state thus give packet filters some features of proxies transparent proxies can be implemented without application support how 'transparent' do you want to be? to the client? the server? the network? thus give proxies some of the transparency of packet filters In reality it is sometimes hard to tell. netfilter/iptables implements a packet filter (stateless/stateful) and some support for transparent proxying. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page The netfilter/iptables project History of linux packet filtering %size 3 1994: kernel 1.2.x (BSD4.4 ipfw) first packet filter in the linux kernel %size 3 1995: kernel 2.0.x (ipfwadm) enhanced version of the old ipfw first support for masquerading %size 3 1997: kernel 2.2.x (ipchains) enhanced version of ipfwadm support for multiple lists of rules (chains) support for transparent proxying masquerading helpers for ftp/irc/quake/... %size 3 2000: kernel 2.4.x (iptables) totally new implementation (based on netfilter API) allows for multiple tables (which each have multiple chains) first support for stateful packet filtering support for fully symmetric NAT (SNAT/DNAT/...) %size 3 2003: kernel 2.6.0-testX (iptables) breaking a tradition: no new packet filter (not yet...) support for non-linear skb's (zerocopy TCP path) %size 3 2003/4: kernel 2.7.x and later 2.6.x backport (pkttables) totally new implementation layer 3 independent packet filtering framework %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page The netfilter/iptables project Why a free software firewall? Tradition The internet was builton free/open standards and software Code Quality Security relevant open sourcecode gets more auditing because more people read it (and thus report/fix bugs) Trust Users can have more trust in FOSS, since they can check for hidden backdoors Public infrastructure Packet Filters (like routers) are core infrastructure of the internet. Infrastructure should be open/free for the public, just like roads. Arguments against proprietary software in infrastructure What if the vendor of your product goes bankrupt? Users are dependent on 'upgrade pressure' and future license changes No possibility to adopt new standards if Vendor has no interest %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page The netfilter/iptables project What can you do using netfilter/iptables? stateless packet filtering provides matches for almost any criteria in the universe stateful packet filtering (using connection tracking) keeps state table about all ongoing connections currently supports TCP/UDP/ICMP/GRE currently supports l5+ helpers for ftp,irc,pptp,h323,talk,mms,tftp,... network address translation stateful, based on connection tracking source NAT / Masquerading destination NAT / redirect 1:1 nat of whole networks (NETMAP) packet mangling clamp TCP MSS to PMTU for broken PMTU discovery manipulate packet header (TTL, ECN, DSCP, ...) combine with policy routing / traffic shaping stateless IPv6 packet filtering (ip6tables) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page HA for netfillter/iptables Who is behind netfilter/iptables? Project started by Paul 'Rusty' Russell Coreteam Rusty, Marc Boucher, James Morris, Harald Welte, Jozsef Kadlecsik, Martin Josefsson Elects a head of coreteam Countless contributions from hundreds of people all over the world In the past we had a scoreboard to keep track of the contributions We are always in lack of volunteers, even for listadmin/webmaster/... %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page The netfilter/iptables project How to get involved? Internet services: Homepage - http://www.netfilter.org/ FTP Server - ftp://ftp.netfilter.org/ rsync server - rsync.netfilter.org CVS server - pserver.netfilter.org Bugzilla - http://bugzilla.netfilter.org/ CVSweb - http://cvs.netfilter.org/ Mailinglist - http://lists.netfilter.org/ Anybody can contribute, code has to be GPL licensed Development discussion at netfilter-devel@lists.netfilter.org User questions at netfilter@lists.netfilter.org Security relevant issues at coreteam@netfilter.org %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page The netfilter/iptables project Areas of current development pkttables (kernel part, pkttnetlink, libpkttnetlink, libpkttables) make ULOG and ip_queue l3 independent (and move to nfnetlink) optimizing connection tracking SMP performance conntrack: support for more protocols (SCTP,...) nf-hipac: highly optimized packet matching engine %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page The netfilter/iptables project Thanks %size 4 The slides of this presentation are available at http://www.gnumonks.org/ Visit the netfilter homepage http://www.netfilter.org/ Thanks to the BBS people, Z-Netz, FIDO, ... for heavily increasing my computer usage in 1992 KNF (http://www.franken.de/) for bringing me in touch with the internet as early as 1994 for providing a playground for technical people for telling me about the existance of Linux! Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen for implementing (one of?) the world's best TCP/IP stacks Paul 'Rusty' Russell for starting the netfilter/iptables project for trusting me to maintain it today Astaro AG for sponsoring most of my current netfilter work