1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
|
%include "default.mgp"
%default 1 bgrad
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%back "blue"
%center
%size 7
The netfilter/iptables project
%center
%size 4
by
Harald Welte <laforge@netfilter.org>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables project
Contents
Introduction: Firewalls, Proxies, Packet Filters
Why a free software firewall?
What can you do with netfilter/iptables?
Who is behind the project? How to get involved?
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables project
Introduction: Firewalls, Proxies, Packet Filters
Firewalls are security gateways between networks
Can be implemented in different ways, at different layers
Packet filters at networking layer (3)
inspect each packet and make decision based on the packet contents
traditionally don't know about connections
advantage: fast, transparent
disadvantage: filtering limited to l3 and l4 headers
Proxies at application layer (5-7)
terminate two connections (client->proxy and proxy->server)
advantage: can base decision on application protocol
disadvantage: not transparent, need application support
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables project
Introduction: Firewalls, Proxies, Packet Filters
However, the world is not that easy anymore since new techniques are blending those two concepts
stateful packet filters
keep state about existing connections/flows
allow even state tracking beyond l4 state
thus give packet filters some features of proxies
transparent proxies
can be implemented without application support
how 'transparent' do you want to be? to the client? the server? the network?
thus give proxies some of the transparency of packet filters
In reality it is sometimes hard to tell. netfilter/iptables implements a packet filter (stateless/stateful) and some support for transparent proxying.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables project
History of linux packet filtering
%size 3
1994: kernel 1.2.x (BSD4.4 ipfw)
first packet filter in the linux kernel
%size 3
1995: kernel 2.0.x (ipfwadm)
enhanced version of the old ipfw
first support for masquerading
%size 3
1997: kernel 2.2.x (ipchains)
enhanced version of ipfwadm
support for multiple lists of rules (chains)
support for transparent proxying
masquerading helpers for ftp/irc/quake/...
%size 3
2000: kernel 2.4.x (iptables)
totally new implementation (based on netfilter API)
allows for multiple tables (which each have multiple chains)
first support for stateful packet filtering
support for fully symmetric NAT (SNAT/DNAT/...)
%size 3
2003: kernel 2.6.0-testX (iptables)
breaking a tradition: no new packet filter (not yet...)
support for non-linear skb's (zerocopy TCP path)
%size 3
2003/4: kernel 2.7.x and later 2.6.x backport (pkttables)
totally new implementation
layer 3 independent packet filtering framework
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables project
Why a free software firewall?
Tradition
The internet was builton free/open standards and software
Code Quality
Security relevant open sourcecode gets more auditing because more people read it (and thus report/fix bugs)
Trust
Users can have more trust in FOSS, since they can check for hidden backdoors
Public infrastructure
Packet Filters (like routers) are core infrastructure of the internet.
Infrastructure should be open/free for the public, just like roads.
Arguments against proprietary software in infrastructure
What if the vendor of your product goes bankrupt?
Users are dependent on 'upgrade pressure' and future license changes
No possibility to adopt new standards if Vendor has no interest
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables project
What can you do using netfilter/iptables?
stateless packet filtering
provides matches for almost any criteria in the universe
stateful packet filtering (using connection tracking)
keeps state table about all ongoing connections
currently supports TCP/UDP/ICMP/GRE
currently supports l5+ helpers for ftp,irc,pptp,h323,talk,mms,tftp,...
network address translation
stateful, based on connection tracking
source NAT / Masquerading
destination NAT / redirect
1:1 nat of whole networks (NETMAP)
packet mangling
clamp TCP MSS to PMTU for broken PMTU discovery
manipulate packet header (TTL, ECN, DSCP, ...)
combine with policy routing / traffic shaping
stateless IPv6 packet filtering (ip6tables)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
HA for netfillter/iptables
Who is behind netfilter/iptables?
Project started by Paul 'Rusty' Russell
Coreteam
Rusty, Marc Boucher, James Morris, Harald Welte, Jozsef Kadlecsik, Martin Josefsson
Elects a head of coreteam
Countless contributions from hundreds of people all over the world
In the past we had a scoreboard to keep track of the contributions
We are always in lack of volunteers, even for listadmin/webmaster/...
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables project
How to get involved?
Internet services:
Homepage - http://www.netfilter.org/
FTP Server - ftp://ftp.netfilter.org/
rsync server - rsync.netfilter.org
CVS server - pserver.netfilter.org
Bugzilla - http://bugzilla.netfilter.org/
CVSweb - http://cvs.netfilter.org/
Mailinglist - http://lists.netfilter.org/
Anybody can contribute, code has to be GPL licensed
Development discussion at netfilter-devel@lists.netfilter.org
User questions at netfilter@lists.netfilter.org
Security relevant issues at coreteam@netfilter.org
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables project
Areas of current development
pkttables (kernel part, pkttnetlink, libpkttnetlink, libpkttables)
make ULOG and ip_queue l3 independent (and move to nfnetlink)
optimizing connection tracking SMP performance
conntrack: support for more protocols (SCTP,...)
nf-hipac: highly optimized packet matching engine
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The netfilter/iptables project
Thanks
%size 4
The slides of this presentation are available at http://www.gnumonks.org/
Visit the netfilter homepage http://www.netfilter.org/
Thanks to
the BBS people, Z-Netz, FIDO, ...
for heavily increasing my computer usage in 1992
KNF (http://www.franken.de/)
for bringing me in touch with the internet as early as 1994
for providing a playground for technical people
for telling me about the existance of Linux!
Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
for implementing (one of?) the world's best TCP/IP stacks
Paul 'Rusty' Russell
for starting the netfilter/iptables project
for trusting me to maintain it today
Astaro AG
for sponsoring most of my current netfilter work
|