summaryrefslogtreecommitdiff
path: root/2005/firewall_vpn-linuxpark_cebit2005/firewall-vpn-linuxpark_cebit2005.mgp
blob: fa6c7004f51dfa58b851d2af3ce80372cccea97a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
%include "default.mgp"
%default 1 bgrad
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%back "blue"

%center
%size 7


Firewalls, IPsec and Linux


%center
%size 4
by

Harald Welte <laforge@netfilter.org>


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Contents


	Introduction
	Highly Scalable Linux Network Stack
	Netfilter Hooks
	Packet selection based on IP Tables
	The Connection Tracking Subsystem
	The NAT Subsystem
	IPsec with Free S/WAN 
	IPsec with Kernel 2.6.x
	Cipe, vtun, openvpn and others
	Traffic Shaping, QoS, Policy Routing

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page 
The GNU GPL Revisited
Introduction


Who is speaking to you?
		an independent Free Software developer
		who earns his living off Free Software since 1997
		who is one of the authors of the Linux kernel firewall system called netfilter/iptables
		who can claim to be the first to have enforced the GNU GPL in court

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page 
Firewalls, IPsec and Linux
Introduction

What this is:
	A broad overview about the advanced Linux networking features
	Intended for a network savyy audience that has little Linux background

What this presentation is not:
	A tutorial on how to use iptables, tc, iproute2, brctl
	An introduction into the cool code we write every day ;)

It will try to show you what you can do with Linux networking, not how.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page 
Firewalls, IPsec and Linux
Introduction

Linux and Networking
	Linux is a true child of the Internet
	Early adopters: ISP's, Universities
	Lots of work went into a highly scalable network stack
	Not only for client/server, but also for routers
	Features unheared of in other OS's 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Introduction 

Did you know, that a stock 2.6.x linux kernel can provide

	a stateful packet filter ?
	fully symmetric NA(P)T ?
	policy routing ?
	QoS / traffic shaping ?
	IPv6 firewalling ?
	packet filtering, NA(P)T on a bridge ?
	layer 2 (mac) address translation ?
	packet forwarding rates of up to 2.1mpps ?

If not, chances are high that this presentation will tell you something new.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Netfilter Hooks

	What is netfilter?

		System of callback functions within network stack
		Callback function to be called for every packet traversing certain point (hook) within network stack
		Protocol independent framework
		Hooks in layer 3 stacks (IPv4, IPv6, DECnet, ARP)
		Multiple kernel modules can register with each of the hooks

Traditional packet filtering, NAT, ... is implemented on top of this framework

Can be used for other stuff interfacing with the core network stack, like DECnet routing daemon.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
IP tables

	Packet selection using IP tables

		The kernel provides generic IP tables support

		Each kernel module may create it's own IP table

		The three major parts of 2.4 firewalling subsystem are implemented using IP tables
			Packet filtering table 'filter'
			NAT table 'nat'
			Packet mangling table 'mangle'

		Could potentially be used for other stuff, e.g. IPsec SPDB

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
IP Tables

	Managing chains and tables

		An IP table consists out of multiple chains
		A chain consists out of a list of rules
		Every single rule in a chain consists out of
			match[es] (rule executed if all matches true)
			target (what to do if the rule is matched)

%size 4
matches and targets can either be builtin or implemented as kernel modules

%size 5
		The userspace tool iptables is used to control IP tables
			handles all different kinds of IP tables 
			supports a plugin/shlib interface for target/match specific options

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Connection Tracking Subsystem

	Connection tracking...
		implemented seperately from NAT 
		enables stateful filtering 
		protocol modules (currently TCP/UDP/ICMP/GRE/SCTP)
		application helpers (currently FTP,IRC,H.323,talk,SNMP,RTSP)
		does _NOT_ filter packets itself
		can be utilized by iptables using the 'state' match 
		is used by NAT Subsystem

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Network Address Translation

	Network Address Translation

		Previous Linux Kernels only implemented one special case of NAT: Masquerading
		Linux 2.4.x / 2.6.x can do any kind of NAT.
		NAT subsystem implemented on top of netfilter, iptables and conntrack
		Following targets available within 'nat' Table
			SNAT changes the packet's source whille passing NF_IP_POST_ROUTING
			DNAT changes the packet's destination while passing NF_IP_PRE_ROUTING
			MASQUERADE is a special case of SNAT
			REDIRECT is a special case of DNAT

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Packet Mangling

	Purpose of mangle table
		packet manipulation except address manipulation
	Targets specific to the 'mangle' table:
		DSCP - manipulate DSCP field
		IPV4OPTSSTRIP - strip IPv4 options
		MARK - change the nfmark field of the skb
		TCPMSS - set TCP MSS option
		TOS - manipulate the TOS bits 
		TTL - set / increase / decrease TTL field

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Linux Bridging

	Bridging (brctl)
		Includes support for Spanning Tree
		Fully supports packet filtering and NAT (!) on a bridge
		Can also filter and translate layer 2 MAC addresses
		Can implement a 'brouter' (bridge certain traffic, route other)

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Linux Policy Routing

	Policy Routing (iproute2)
		Allows routing decisions on arbitrary information
		Provides up to 255 different routing tables within one system
		By combining via nfmark with iptables, any matches of the packet filter can be used for the routing decision
		Very useful in complex setups with mutiple links (e.g. multiple DSL uplinks with dynamic addresses, asymmetric routing, ...)

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Linux Traffic Shaping

	Traffic Control (tc)
		Framework for lots of algorithms like RED,SFQ,TBF,CBQ,CSZ,GRED,HTB
		Very granular control, especially for very low bandwidth links
		Present since Linux 2.2.x but still not used widely
		Lack of documentation, but situation is improving (www.lartc.org)

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Free S/WAN

	Free S/WAN
		Was a politically motivated effort to provide IPsec for Linux 2.0+
		Goal was to encrypt as much Internet Traffic as possible 
		Software architecture didn't fit very well with Linux 2.4/2.6 network stack
		Project has been shut down, however Open S/WAN continues support
		Is in widespread production use and has received a lot of testing
		Political motivation prevented any U.S. citizen to contribute code

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Linux 2.6.x IPsec

	Linux 2.6.x IPsec
		Linux networking gods disaproved Free S/WAN political restrictions and software design
		Thus, they decided to write their own IPsec stack
		Result is in the stock 2.6.x kernel series
		Offers complete support for transport and tunnel mode
		Can be used with FreeSWAN (pluto) or KAME (isakmpd) userspace
		Remaining problems
			No integration with hardware crypto accelerators yet
			No implementation of NAT traversal yet
			Interaction with iptable_nat still has to be sorted out

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
cipe, vtun, openswan and others

	Other VPN protocols/programs
		Evolved as linux specific VPN implementations since the Linux Kernel was lacking stock IPsec support for a long time
		Are totally incompatible to IPsec and only compatible to themselves
		Are of questionable security (at least in case of cipe, vtun)
		Are mostly userspace implementations
		Are way easier to configure
		Can provide layer 2 tunnels to route (or bridge!) all kinds of protocols
		openvpn with X.509 certificates is a very clean and easy solution for building strong VPN tunnels between two linux gateways

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Firewalls, IPsec and Linux
Thanks

	Thanks to
		the BBS scene, Z-Netz, FIDO, ...
			for heavily increasing my computer usage in 1992
		KNF (http://www.franken.de/)
			for bringing me in touch with the internet as early as 1994
			for providing a playground for technical people
			for telling me about the existance of Linux!
		Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
			for implementing (one of?) the world's best TCP/IP stacks
		Paul 'Rusty' Russell
			for starting the netfilter/iptables project
			for trusting me to maintain it today
		Astaro AG
			for sponsoring parts of my netfilter work
%size 3
	The slides and the an according paper of this presentation are available at http://www.gnumonks.org/
%size 3
personal git repositories of Harald Welte. Your mileage may vary