1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
|
%include "default.mgp"
%default 1 bgrad
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%back "blue"
%center
%size 7
Firewalls, IPsec and Linux
%center
%size 4
by
Harald Welte <laforge@netfilter.org>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Contents
Introduction
Highly Scalable Linux Network Stack
Netfilter Hooks
Packet selection based on IP Tables
The Connection Tracking Subsystem
The NAT Subsystem
IPsec with Free S/WAN
IPsec with Kernel 2.6.x
Cipe, vtun, openvpn and others
Traffic Shaping, QoS, Policy Routing
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The GNU GPL Revisited
Introduction
Who is speaking to you?
an independent Free Software developer
who earns his living off Free Software since 1997
who is one of the authors of the Linux kernel firewall system called netfilter/iptables
who can claim to be the first to have enforced the GNU GPL in court
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Introduction
What this is:
A broad overview about the advanced Linux networking features
Intended for a network savyy audience that has little Linux background
What this presentation is not:
A tutorial on how to use iptables, tc, iproute2, brctl
An introduction into the cool code we write every day ;)
It will try to show you what you can do with Linux networking, not how.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Introduction
Linux and Networking
Linux is a true child of the Internet
Early adopters: ISP's, Universities
Lots of work went into a highly scalable network stack
Not only for client/server, but also for routers
Features unheared of in other OS's
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Introduction
Did you know, that a stock 2.6.x linux kernel can provide
a stateful packet filter ?
fully symmetric NA(P)T ?
policy routing ?
QoS / traffic shaping ?
IPv6 firewalling ?
packet filtering, NA(P)T on a bridge ?
layer 2 (mac) address translation ?
packet forwarding rates of up to 2.1mpps ?
If not, chances are high that this presentation will tell you something new.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Netfilter Hooks
What is netfilter?
System of callback functions within network stack
Callback function to be called for every packet traversing certain point (hook) within network stack
Protocol independent framework
Hooks in layer 3 stacks (IPv4, IPv6, DECnet, ARP)
Multiple kernel modules can register with each of the hooks
Traditional packet filtering, NAT, ... is implemented on top of this framework
Can be used for other stuff interfacing with the core network stack, like DECnet routing daemon.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
IP tables
Packet selection using IP tables
The kernel provides generic IP tables support
Each kernel module may create it's own IP table
The three major parts of 2.4 firewalling subsystem are implemented using IP tables
Packet filtering table 'filter'
NAT table 'nat'
Packet mangling table 'mangle'
Could potentially be used for other stuff, e.g. IPsec SPDB
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
IP Tables
Managing chains and tables
An IP table consists out of multiple chains
A chain consists out of a list of rules
Every single rule in a chain consists out of
match[es] (rule executed if all matches true)
target (what to do if the rule is matched)
%size 4
matches and targets can either be builtin or implemented as kernel modules
%size 5
The userspace tool iptables is used to control IP tables
handles all different kinds of IP tables
supports a plugin/shlib interface for target/match specific options
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Connection Tracking Subsystem
Connection tracking...
implemented seperately from NAT
enables stateful filtering
protocol modules (currently TCP/UDP/ICMP/GRE/SCTP)
application helpers (currently FTP,IRC,H.323,talk,SNMP,RTSP)
does _NOT_ filter packets itself
can be utilized by iptables using the 'state' match
is used by NAT Subsystem
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Network Address Translation
Network Address Translation
Previous Linux Kernels only implemented one special case of NAT: Masquerading
Linux 2.4.x / 2.6.x can do any kind of NAT.
NAT subsystem implemented on top of netfilter, iptables and conntrack
Following targets available within 'nat' Table
SNAT changes the packet's source whille passing NF_IP_POST_ROUTING
DNAT changes the packet's destination while passing NF_IP_PRE_ROUTING
MASQUERADE is a special case of SNAT
REDIRECT is a special case of DNAT
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Packet Mangling
Purpose of mangle table
packet manipulation except address manipulation
Targets specific to the 'mangle' table:
DSCP - manipulate DSCP field
IPV4OPTSSTRIP - strip IPv4 options
MARK - change the nfmark field of the skb
TCPMSS - set TCP MSS option
TOS - manipulate the TOS bits
TTL - set / increase / decrease TTL field
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Linux Bridging
Bridging (brctl)
Includes support for Spanning Tree
Fully supports packet filtering and NAT (!) on a bridge
Can also filter and translate layer 2 MAC addresses
Can implement a 'brouter' (bridge certain traffic, route other)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Linux Policy Routing
Policy Routing (iproute2)
Allows routing decisions on arbitrary information
Provides up to 255 different routing tables within one system
By combining via nfmark with iptables, any matches of the packet filter can be used for the routing decision
Very useful in complex setups with mutiple links (e.g. multiple DSL uplinks with dynamic addresses, asymmetric routing, ...)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Linux Traffic Shaping
Traffic Control (tc)
Framework for lots of algorithms like RED,SFQ,TBF,CBQ,CSZ,GRED,HTB
Very granular control, especially for very low bandwidth links
Present since Linux 2.2.x but still not used widely
Lack of documentation, but situation is improving (www.lartc.org)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Free S/WAN
Free S/WAN
Was a politically motivated effort to provide IPsec for Linux 2.0+
Goal was to encrypt as much Internet Traffic as possible
Software architecture didn't fit very well with Linux 2.4/2.6 network stack
Project has been shut down, however Open S/WAN continues support
Is in widespread production use and has received a lot of testing
Political motivation prevented any U.S. citizen to contribute code
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Linux 2.6.x IPsec
Linux 2.6.x IPsec
Linux networking gods disaproved Free S/WAN political restrictions and software design
Thus, they decided to write their own IPsec stack
Result is in the stock 2.6.x kernel series
Offers complete support for transport and tunnel mode
Can be used with FreeSWAN (pluto) or KAME (isakmpd) userspace
Remaining problems
No integration with hardware crypto accelerators yet
No implementation of NAT traversal yet
Interaction with iptable_nat still has to be sorted out
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
cipe, vtun, openswan and others
Other VPN protocols/programs
Evolved as linux specific VPN implementations since the Linux Kernel was lacking stock IPsec support for a long time
Are totally incompatible to IPsec and only compatible to themselves
Are of questionable security (at least in case of cipe, vtun)
Are mostly userspace implementations
Are way easier to configure
Can provide layer 2 tunnels to route (or bridge!) all kinds of protocols
openvpn with X.509 certificates is a very clean and easy solution for building strong VPN tunnels between two linux gateways
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Thanks
Thanks to
the BBS scene, Z-Netz, FIDO, ...
for heavily increasing my computer usage in 1992
KNF (http://www.franken.de/)
for bringing me in touch with the internet as early as 1994
for providing a playground for technical people
for telling me about the existance of Linux!
Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
for implementing (one of?) the world's best TCP/IP stacks
Paul 'Rusty' Russell
for starting the netfilter/iptables project
for trusting me to maintain it today
Astaro AG
for sponsoring parts of my netfilter work
%size 3
The slides and the an according paper of this presentation are available at http://www.gnumonks.org/
%size 3
|