1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
0 - introduction/definition: Firewalls, Proxies, Packet Filters
- present myself and my function within the netfilter coreteam
- what is a firewall
- packet filters at networking layer
- inspect each packet and make a choice based on the packet
- traditionally don't know about connections (== layer 4)
- advantage: fast, transparent
- disadvantage: filtering limited to l3+l4 (sometimes l2)
- proxies at application layer
- terminate two connections (client->proxy and proxy->server)
- advantage: can base policy decision on application protocol
- disadvantage: not transparent at all (not even transparent proxies)
- result: both of them have their application.
- history of linux packet filtering
- ipfwadm (2.0)
- ipchains (2.2)
- iptables (2.4+2.6)
- pkttables (2.6+)
- iptables was developed together with netfilter in the 2.3.x kernel series
1 - Why a free software firewall?
- the internet was built on free/open standards and software
- security relevant open sourcecode gets more auditing because more people read it (and thus report bugs)
- users can put more trust in FOSS, since they can check for hidden backdoors
- packet filters are used like routers. They are core infrastructure of the internet. Infrastructure should be open/free for the public, just like roads.
- Everybody should be able to learn and understand how packet filtering works
- Infrastructure should not depend on monopolistic companies.
- problem if company goes bankrupt
- dependent on 'upgrade pressure' and future license changes
- no possibility to adopt it to new standards if vendor doesn't want to support it
2 - What can you do with netfilter/iptables
- stateless packet filtering
- matches: mac, src/dst ip, src/dst port,
- stateful packet filtering by using connection tracking
- keeps state table about all ongoing connections
- supports l4 TCP,UDP,ICMP,GRE,PPTP
- supports l5+ complex protocols like ftp,pptp,h323,talk,...
- IP accounting (every rule has a packet/byte counter)
- Network Adress Translation (NAT/NAPT)
- Stateful, based on Connection tracking
- Source NAT / Masquerading
- Destination NAT / Redirect
- 1:1 NAT of whole networks (NETMAP)
- supports l5+ complex protocols like ftp,pptp,h323,talk,...
- Packet Mangling
- Clamp TCP MSS to PMTU
- Manipulate packet header (TTL, ECN, DSCP, ...)
- Combine with policy routing / traffic shaping systems
- stateless IPv6 packet filtering using ip6tables
3 - Who is behind the project? How to get involved?
- started by Paul 'Rusty' Russell from Australia (co-author of ipchains)
- Marc Boucher (Canada) and James Morris (Australia) dropped in
- Harald Welte (Germany), Jozsef Kadlecsik (Hungary), Martin Josefsson (Sweden) joined coreteam
- Countless contributions from hundreds of poeple all over the world
- used to keep a scoreboard, but it was eating too much time
- Project internet presence:
- HTTP (www.netfilter.org)
- FTP (ftp.netfilter.org)
- RSYNC (rsync.netfilter.org)
- CVS (pserver.netfilter.org)
- 5 mailinglists (lists.netfilter.org)
- Bugzilla (bugzilla.netfilter.org)
- CVSweb (http://cvs.netfilter.org)
- Anybody can contribute, as long as the contribution is GPL licensed
- development happens on netfilter-devel@lists.netfilter.org
- user questions belong to netfilter@lists.netfilter.org
- security relevant findings to coreteam@netfilter.org
Iptables is used by a lot of commercial [and also proprietary] products. Companies like Astaro and Smoothwall are offering iptables-based firewall appliances. Other companies (like Linksys, Belkin, ...) are embedding iptables into their wavelan access points - and users don't even know that they are using iptables.
|