444 lines
11 KiB
Plaintext
444 lines
11 KiB
Plaintext
%include "default.mgp"
|
|
%default 1 bgrad
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
%nodefault
|
|
%back "blue"
|
|
|
|
%center
|
|
%size 7
|
|
|
|
|
|
The netfilter framework in Linux 2.4
|
|
|
|
|
|
%center
|
|
%size 4
|
|
by
|
|
|
|
Harald Welte <laforge@gnumonks.org>
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter in Linux 2.4
|
|
Contents
|
|
|
|
Introduction
|
|
|
|
PART I - Netfilter basics / concepts
|
|
|
|
Part II - Packet filtering using iptables and netfilter
|
|
|
|
Part III - NAT using iptables and netfilter
|
|
|
|
Part IV - Packet mangling using iptables and netfilter
|
|
|
|
Advanced netfilter concepts
|
|
|
|
Current development and Future
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter in Linux 2.4
|
|
Introduction
|
|
|
|
What is netfilter
|
|
|
|
More than a firewall subsystem
|
|
|
|
Generalized Framework (protocol independend)
|
|
|
|
Hooks in the Network stack
|
|
|
|
Multiple kernel modules can register with each of the hooks
|
|
|
|
Asynchronous packet handling in userspace
|
|
|
|
IP Tables, usable for any module
|
|
|
|
Traditional packet filtering / NAT / ... implemented on top of this framework
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter in Linux 2.4
|
|
Introduction
|
|
|
|
Why did we need netfilter
|
|
|
|
No infrastructure for passing packets to userspace
|
|
|
|
Transparent proxying extremely difficult
|
|
|
|
Packet filter rules depend on interface addresses
|
|
|
|
Masquerading and packet filtering not implemented seperately
|
|
|
|
Code too complex
|
|
|
|
Neither modular nor extensible
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter in Linux 2.4
|
|
Introduction
|
|
|
|
Authors of netfilter
|
|
Paul 'Rusty' Russell
|
|
co-author of ipchains in Linux 2.2
|
|
was paid by Watchguard for about one Year of development
|
|
now works for Linuxcare
|
|
|
|
James Morris
|
|
userspace queuing (kernel, library and tools)
|
|
REJECT target
|
|
|
|
Marc Boucher
|
|
NAT and packet filtering controlled by one comand
|
|
Mangle table
|
|
|
|
Harald Welte
|
|
IRC conntrac+NAT helper
|
|
Userspace packet logging
|
|
IPv6 stuff
|
|
|
|
Non-core team contributors
|
|
http://netfilter.kernelnotes.org/scoreboard.html
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter in Linux 2.4
|
|
PART I - Netfilter basics
|
|
|
|
Netfilter architecture in IPv4
|
|
%font "typewriter"
|
|
|
|
--->[1]--->[ROUTE]--->[3]--->[4]--->
|
|
| ^
|
|
| |
|
|
| [ROUTE]
|
|
v |
|
|
[2] [5]
|
|
| ^
|
|
| |
|
|
v |
|
|
|
|
%font "standard"
|
|
1=NF_IP_PRE_ROUTING
|
|
2=NF_IP_LOCAL_IN
|
|
3=NF_IP_FORWARD
|
|
4=NF_IP_POST_ROUTING
|
|
5=NF_IP_LOCAL_OUT
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter in Linux 2.4
|
|
PART I - Netfilter basics
|
|
|
|
Netfilter base
|
|
|
|
Any kernel module may register a callback function at any of the hooks
|
|
|
|
The module has to return one of the following constants
|
|
|
|
NF_ACCEPT continue traversal as normal
|
|
NF_DROP drop the packet, do not continue
|
|
NF_STOLEN I've taken over the packet do not continue
|
|
NF_QUEUE enqueue packet to userspace
|
|
NF_REPEAT call this hook again
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter in Linux 2.4
|
|
PART I - Netfilter basics
|
|
|
|
Packet selection using IP tables
|
|
|
|
The kernel provides generic IP tables support
|
|
|
|
Each kernel module may create it's own IP table
|
|
|
|
The three major parts of 2.4 advanced packet handling are implemented using IP tables
|
|
|
|
Packet filtering table 'filter'
|
|
|
|
NAT table 'nat'
|
|
|
|
Packet mangling table 'mangle'
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter in Linux 2.4
|
|
PART II - packet filtering
|
|
|
|
Overview
|
|
|
|
Implemented on top of three netfilter hooks
|
|
|
|
NF_IP_LOCAL_IN (packets destined for the local host)
|
|
NF_IP_FORWARD (packets forwarded by local host)
|
|
NF_IP_LOCAL_OUT (packets from the local host)
|
|
|
|
%size 4
|
|
On each of the three hooks we register one chain (INPUT, FORWARD, OUTPUT) of the IP Table 'filter'
|
|
|
|
Each packet passes exactly one of the three chains. Note that this is very different compared to the old 2.2 ipchains behaviour.
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter in Linux 2.4
|
|
PART II - packet filtering
|
|
|
|
Managing chains and tables
|
|
|
|
Each rule in a chain consists out of
|
|
match (which packet match this rule)
|
|
target (what to do if the rule is matched)
|
|
|
|
%size 4
|
|
matches and targets can either be builtin or implemented as kernel modules
|
|
|
|
%size 6
|
|
The userspace tool iptables is very flexible
|
|
handles all different kinds of IP tables
|
|
supports a plugin/shlib interface for target / match specific options
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter in Linux 2.4
|
|
PART II - packet filtering
|
|
|
|
Basic iptables commands
|
|
|
|
To build a complete iptable command, we must specify
|
|
which table to work with
|
|
which chain in this table to use
|
|
an operation (insert, add, delete, modify)
|
|
a match
|
|
a target
|
|
|
|
The syntax is
|
|
%font "typewriter"
|
|
%size 3
|
|
iptables -t table -Operation chain -j target match(es)
|
|
%font "standard"
|
|
%size 5
|
|
|
|
Example:
|
|
%font "typewriter"
|
|
%size 3
|
|
iptables -t filter -A INPUT -j ACCEPT -p tcp --dport smtp
|
|
%font "standard"
|
|
%size 5
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter in Linux 2.4
|
|
PART II - packet filtering
|
|
|
|
Targets
|
|
|
|
Builtin Targets to be used in filter table
|
|
ACCEPT accept the packet
|
|
DROP silently drop the packet
|
|
QUEUE enqueue packet to userspace
|
|
RETURN return to previous (calling) chain
|
|
foobar user defined chain
|
|
|
|
Targets implemented as loadable modules
|
|
REJECT drop the packet but inform sender
|
|
MIRROR change source/destination IP and resend
|
|
LOG log via syslog
|
|
ULOG log via userspace
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter in Linux 2.4
|
|
PART II - packet filtering
|
|
|
|
Matches
|
|
|
|
Basic matches
|
|
-p protocol (tcp/udp/icmp/...)
|
|
-s source address (ip/mask)
|
|
-d destination address (ip/mask)
|
|
-i incoming interface
|
|
-o outgoing interface
|
|
|
|
Match extensions
|
|
--dport destination port
|
|
--sport source port
|
|
--mac-source source MAC address
|
|
--mark nfmark
|
|
--tos TOS field of IP header
|
|
--ttl TTL field of IP header
|
|
--limit rate limiting (n packets per timeframe)
|
|
--owner owner uid of the socket sending the packet
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter in Linux 2.4
|
|
PART III - NAT
|
|
|
|
Overview
|
|
|
|
Previous Linux Kernels only implemented one special case of NAT: Masquerading
|
|
|
|
Netfilter enables Linux to do any kind of NAT.
|
|
|
|
All matches from packet filtering are available for the nat tables, too
|
|
|
|
We divide NAT into 'source NAT' and 'destination NAT'
|
|
|
|
SNAT changes the packet's source whille passing NF_IP_POST_ROUTING
|
|
|
|
DNAT changes the packet's destination while passing NF_IP_PRE_ROUTING
|
|
|
|
MASQUERADE is a special case of SNAT
|
|
|
|
REDIRECT is a special case of DNAT
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter in Linux 2.4
|
|
PART III - NAT
|
|
|
|
Source NAT
|
|
|
|
SNAT Example:
|
|
%font "typewriter"
|
|
%size 3
|
|
|
|
iptables -t nat -A POSTROUTING -j SNAT --to-source 1.2.3.4 -s 10.0.0.0/8
|
|
%font "standard"
|
|
%size 4
|
|
|
|
Masquerading does almost the same as SNAT, but if the outgoing interfaces' address changes (in case we have a dialup with dynamic ip), the new address is used.
|
|
|
|
MASQUERADE Example:
|
|
%font "typewriter"
|
|
%size 3
|
|
|
|
iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0
|
|
%font "standard"
|
|
%size 5
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter in Linux 2.4
|
|
PART III - NAT
|
|
|
|
Destination NAT
|
|
|
|
DNAT example:
|
|
%font "typewriter"
|
|
%size 3
|
|
|
|
iptables -t nat -A PREROUTING -j DNAT --to-destination 1.2.3.4:8080 -p tcp --dport 80 -i eth1
|
|
%font "standard"
|
|
%size 4
|
|
|
|
REDIRECT is a special case of DNAT, which alters the destination to the address of the incoming interface.
|
|
|
|
REDIRECT example:
|
|
%font "typewriter"
|
|
%size 3
|
|
|
|
iptables -t nat -A PREROUTING -j REDIRECT --to-port 3128 -i eth1 -p tcp --dport 80
|
|
%font "standard"
|
|
%size 5
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter in Linux 2.4
|
|
PART IV - Packet mangling
|
|
|
|
Change certain parts of a packet based on rules in IP tables
|
|
|
|
Again all the matches available, as described in packet filtering section.
|
|
|
|
Currently, the supported packet mangling targets are:
|
|
TOS manipulate the TOS bits
|
|
TTL set / increase / decrease TTL field
|
|
MARK change the nfmark field of the skb
|
|
|
|
Simple example:
|
|
%font "typewriter"
|
|
%size 3
|
|
|
|
iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -p tcp --dport 80
|
|
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter in Linux 2.4
|
|
Advanced Netfilter concepts
|
|
|
|
Connection tracking
|
|
|
|
Implemented seperately from NAT
|
|
|
|
Enables stateful filtering
|
|
|
|
Implementation
|
|
hooks into NF_IP_PRE_ROUTING to track packets
|
|
hooks into NF_IP_POST_ROUTING and NF_IP_LOCAL_IN to drop information about connections which got filtered out
|
|
protocol modules (currently TCP/UDP/ICMP)
|
|
application helpers (currently FTP and IRC-DCC)
|
|
|
|
Conntrack divides packets in the following four categories
|
|
NEW - would establish new connection
|
|
ESTABLISHED - part of already established connection
|
|
RELATED - is related to established connection
|
|
INVALID - (multicast, errors...)
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter in Linux 2.4
|
|
Advanced Netfilter concepts
|
|
|
|
%size 4
|
|
Userspace logging
|
|
flexible replacement for old syslog-based logging
|
|
packets to userspace via multicast netlink sockets
|
|
easy-to-use library (libipulog)
|
|
plugin-extensible userspace logging daemon already available
|
|
|
|
Queuing
|
|
reliable asynchronous packet handling
|
|
packets to userspace via unicast netlink socket
|
|
easy-to-use library (libipq)
|
|
experimental queue multiplex daemon (ipqmpd)
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter in Linux 2.4
|
|
Current Development and Future
|
|
|
|
Netfilter (although it proved very stable) is still work in progress.
|
|
|
|
Areas of current development
|
|
infrastructure for conntrack/nat helpers in userspace
|
|
full TCP sequence number tracking
|
|
multicast support for connection tracking
|
|
more flexible matches (MAXCONN, ...)
|
|
more conntrack and NAT modules (RPC, SNMP, SMB, ...)
|
|
better IPv6 support (conntrack, more matches / targets)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter in Linux 2.4
|
|
Availability of slides / Links
|
|
|
|
The slides and the an according paper of this presentation are available at
|
|
http://www.gnumonks.org
|
|
|
|
The netfilter homepage is mirrored at:
|
|
http://netfilter.samba.org
|
|
http://netfilter.kernelnotes.org
|
|
http://netfilter.filewatcher.org
|
|
|
|
More documents / netfilter extensions (ulogd, ipqmpd, ...)
|
|
http://www.gnumonks.org/projects
|