455 lines
13 KiB
Plaintext
455 lines
13 KiB
Plaintext
%include "default.mgp"
|
|
%default 1 bgrad
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
IP Tables
|
|
|
|
addrtype match
|
|
matches source/destionation address type
|
|
types are UNICAST/LOCAL/BROADCAST/ANYCAST/MULTICAST/...
|
|
ah match
|
|
matches IPSEC AH SPI (range)
|
|
comment match
|
|
always matches, allows user to place comment in rule
|
|
connmark match
|
|
connection marking, see later
|
|
conntrack match
|
|
more extended version of 'state'
|
|
match on timeout, fine-grained state, original tuples
|
|
dscp match
|
|
matches DSCP codepoint (formerly-known as TOS bits)
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
IP Tables
|
|
|
|
ecn match
|
|
matches ECN bits of tcp and ip header
|
|
esp match
|
|
matches IPSEC ESP SPI (range)
|
|
hashlimit match
|
|
dynamic limiting
|
|
helper match
|
|
allows matching of conntrack helper name
|
|
iprange match
|
|
match on arbitrary IP address ranges (not a mask)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
IP Tables
|
|
|
|
length match
|
|
match on packet length
|
|
limit
|
|
static rate limiting
|
|
mac
|
|
match on source mac address
|
|
mark
|
|
match on nfmark (fwmark)
|
|
multiport
|
|
match on multiple ports
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
IP Tables
|
|
|
|
owner
|
|
match on socket owner (uid, gid, pid, sid, command name)
|
|
physdev
|
|
match underlying device in case of bridge
|
|
pkttype
|
|
match link-layer packet type (unicast,broadcast,multicast)
|
|
realm
|
|
match routing realm
|
|
recent
|
|
see special section below
|
|
tcpmss
|
|
match on TCP maximum segment size
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
IP Tables
|
|
|
|
Targets
|
|
very dependent on the particular table
|
|
|
|
Table specific targets will be discussed later
|
|
|
|
Generic Targets, always available
|
|
ACCEPT accept packet within chain
|
|
DROP silently drop packet
|
|
QUEUE enqueue packet to userspace
|
|
LOG log packet via syslog
|
|
ULOG log packet via ulogd
|
|
RETURN return to previous (calling) chain
|
|
foobar jump to user defined chain
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
Packet Filtering
|
|
|
|
Overview
|
|
|
|
Implemented as 'filter' table
|
|
Registers with three netfilter hooks
|
|
|
|
NF_IP_LOCAL_IN (packets destined for the local host)
|
|
NF_IP_FORWARD (packets forwarded by local host)
|
|
NF_IP_LOCAL_OUT (packets from the local host)
|
|
|
|
Each of the three hooks has attached one chain (INPUT, FORWARD, OUTPUT)
|
|
|
|
Every packet passes exactly one of the three chains. Note that this is very different compared to the old 2.2.x ipchains behaviour.
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
Packet Filtering
|
|
|
|
Targets available within 'filter' table
|
|
|
|
Builtin Targets to be used in filter table
|
|
ACCEPT accept the packet
|
|
DROP silently drop the packet
|
|
QUEUE enqueue packet to userspace
|
|
RETURN return to previous (calling) chain
|
|
foobar user defined chain
|
|
|
|
Targets implemented as loadable modules
|
|
REJECT drop the packet but inform sender
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
Connection Tracking Subsystem
|
|
|
|
Connection tracking...
|
|
|
|
implemented seperately from NAT
|
|
enables stateful filtering
|
|
implementation
|
|
hooks into NF_IP_PRE_ROUTING to track packets
|
|
hooks into NF_IP_POST_ROUTING and NF_IP_LOCAL_IN to see if packet passed filtering rules
|
|
protocol modules (currently TCP/UDP/ICMP/SCTP)
|
|
application helpers currently (FTP,IRC,H.323,talk,SNMP)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
Connection Tracking Subsystem
|
|
|
|
Connection tracking...
|
|
|
|
divides packets in the following four categories
|
|
NEW - would establish new connection
|
|
ESTABLISHED - part of already established connection
|
|
RELATED - is related to established connection
|
|
INVALID - (multicast, errors...)
|
|
does _NOT_ filter packets itself
|
|
can be utilized by iptables using the 'state' match
|
|
is used by NAT Subsystem
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
Connection Tracking Subsystem
|
|
|
|
State tracking for TCP is obvious
|
|
TCP inherently stateful
|
|
Two TCP state machines on each end have well-defined behaviour
|
|
Passive tracking of state machines
|
|
In more recent 2.6.x kernels, tracking of TCP window (seq/ack)
|
|
Max idle timeout of fully-established session: 5 days
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
Connection Tracking Subsystem
|
|
|
|
State tracking for UDP: How is this possible?
|
|
UDP itself not stateful at all
|
|
However, higher-level protocols mostly match request-reply
|
|
First packet (request) is assumed to be NEW
|
|
First matching reply packet is assumed to confirm connection
|
|
Further packets in either direction refresh timeout
|
|
Timeouts: 30sec unreplied, 180sec confirmed
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
Connection Tracking Subsystem
|
|
|
|
State tracking on ICMP: What's that?
|
|
ICMP Errors (e.g. host/net unreachable, ttl exceeded)
|
|
They can always be categorized as RELATED to other connections
|
|
ICMP request/reply (ECHO REQUEST, INFO REQUEST)
|
|
can be treated like UDP request/reply case
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
Connection Tracking Subsystem
|
|
|
|
State tracking on SCTP: What's SCTP?
|
|
Streaming Control Transfer Protocol
|
|
Linux has SCTP in the network stack, so why should the packet filter not support it?
|
|
Pretty much like TCP in most cases
|
|
Doesn't support more advanced features such as failover of an endpoint
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
Connection Tracking Subsystem
|
|
|
|
State tracking on other protocols
|
|
'generic' protocol: no layer-4 tuple information
|
|
'gre' helper in patch-o-matic
|
|
|
|
State tracking of higher-layer protocols
|
|
implemented as 'connection tracking helpers'
|
|
currently in-kernel: amanda, ftp, irc, tftp
|
|
currently in patch-o-matic: pptp, h.323, sip, quake, ...
|
|
have to be explicitly loaded (ip_conntrack_*.[k]o)
|
|
work by issuing so-called "expectations"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
Connection Tracking Subsystem
|
|
|
|
Exemptions to connection tracking
|
|
Usually connection tracking is called first in PRE_ROUTING
|
|
Sometimes, filtering is preferred before this conntrack lookup
|
|
Therefore, the "raw" table was introduced
|
|
In some rare cases, one might want to not track certain packets
|
|
The NOTRACK can be used in the "raw" table
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
Connection Tracking Subsystem
|
|
|
|
Configuration / Tuning
|
|
module parameter "hashsize"
|
|
number of hash table buckets
|
|
/proc/sys/net/ipv4/ip_conntrack_max
|
|
maximum number of tracked connections
|
|
/proc/sys/net/ipv4/ip_conntrack_buckets (read-only)
|
|
number of hash table buckets
|
|
/proc/net/ip_conntrack
|
|
list of connections
|
|
/proc/net/ip_conntrack_expect
|
|
list of pending expectations
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
Connection Tracking Subsystem
|
|
|
|
Configuration / Tuning
|
|
/proc/sys/net/ip_conntrack_log_invalid
|
|
log invalid packets?
|
|
/proc/sys/net/ip_conntrack_tcp_be_liberal
|
|
basically disables window tracking, if "1"
|
|
/proc/sys/net/ip_conntrack_tcp_loose
|
|
how many packets required until sync in case of pickup
|
|
if set to zero, disables pickup
|
|
/proc/sys/net/ip_conntrack_tcp_max_retrans
|
|
maximum number of retransmitted packets without seeing a n ACK
|
|
/proc/sys/net/ip_conntrack_*timeout*
|
|
timeout values of respective protocol states
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
Network Address Translation
|
|
|
|
Network Address Translation
|
|
|
|
Previous Linux Kernels only implemented one special case of NAT: Masquerading
|
|
Linux 2.4.x / 2.6.x can do any kind of NAT.
|
|
NAT subsystem implemented on top of netfilter, iptables and conntrack
|
|
Following targets available within 'nat' Table
|
|
SNAT changes the packet's source whille passing NF_IP_POST_ROUTING
|
|
DNAT changes the packet's destination while passing NF_IP_PRE_ROUTING
|
|
MASQUERADE is a special case of SNAT
|
|
REDIRECT is a special case of DNAT
|
|
SAME
|
|
NETMAP
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
Network Address Translation
|
|
|
|
Source NAT
|
|
SNAT Example:
|
|
%font "typewriter"
|
|
%size 3
|
|
iptables -t nat -A POSTROUTING -j SNAT --to-source 1.2.3.4 -s 10.0.0.0/8
|
|
%font "standard"
|
|
%size 4
|
|
|
|
MASQUERADE Example:
|
|
%font "typewriter"
|
|
%size 3
|
|
iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0
|
|
%font "standard"
|
|
%size 5
|
|
|
|
Destination NAT
|
|
DNAT example
|
|
%font "typewriter"
|
|
%size 3
|
|
iptables -t nat -A PREROUTING -j DNAT --to-destination 1.2.3.4:8080 -p tcp --dport 80 -i eth1
|
|
%font "standard"
|
|
%size 4
|
|
|
|
REDIRECT example
|
|
%font "typewriter"
|
|
%size 3
|
|
iptables -t nat -A PREROUTING -j REDIRECT --to-port 3128 -i eth1 -p tcp --dport 80
|
|
%font "standard"
|
|
%size 5
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
Packet Mangling
|
|
|
|
Purpose of 'mangle' table
|
|
packet manipulation except address manipulation
|
|
|
|
Integration with netfilter
|
|
'mangle' table hooks in all five netfilter hooks
|
|
priority: after conntrack
|
|
|
|
Simple example:
|
|
%font "typewriter"
|
|
%size 3
|
|
iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -p tcp --dport 80
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
Packet Mangling
|
|
|
|
Targets specific to the 'mangle' table:
|
|
DSCP
|
|
manipulate DSCP field
|
|
ECN
|
|
manipulate ECN bits
|
|
IPV4OPTSSTRIP
|
|
strip IPv4 options
|
|
MARK
|
|
change the nfmark field of the skb
|
|
TCPMSS
|
|
set TCP MSS option
|
|
TOS
|
|
manipulate the TOS bits
|
|
TTL
|
|
set / increase / decrease TTL field
|
|
CLASSIFY
|
|
classify packet (for tc/iproute)
|
|
CONNMARK
|
|
set mark of connection
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
The raw Table
|
|
|
|
Purpose of 'raw' table
|
|
to allow for filtering rules _before_ conntrack
|
|
Targets specific to the 'raw' table:
|
|
NOTRACK
|
|
don't do connection tracking
|
|
|
|
The table can also be useful for flood protection rules that happen before traversing the (computational) expensive connection tracking subsystem.
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
Advanced Netfilter concepts
|
|
|
|
%size 4
|
|
Userspace logging
|
|
flexible replacement for old syslog-based logging
|
|
packets to userspace via multicast netlink sockets
|
|
easy-to-use library (libipulog)
|
|
plugin-extensible userspace logging daemon (ulogd)
|
|
Can even be used to directly log into MySQL
|
|
|
|
Queuing
|
|
reliable asynchronous packet handling
|
|
packets to userspace via unicast netlink socket
|
|
easy-to-use library (libipq)
|
|
provides Perl bindings
|
|
experimental queue multiplex daemon (ipqmpd)
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
Advanced Netfilter concepts
|
|
|
|
Firewalling on a Bridge (ebtables + iptables)
|
|
totally transparent to layer 2 and above
|
|
no attack vector since firewall has no IP address
|
|
even possible to do NAT on the bridge
|
|
or even NAT of MAC addresses
|
|
|
|
ipset - Faster matching
|
|
iptables are a linear list of rules
|
|
ipset represents a 'group' scheme
|
|
Implements different data types for different applications
|
|
hash table (for random addresses)
|
|
bitmask (for let's say a /24 network)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
Advanced Netfilter concepts
|
|
|
|
ipv6 packet filtering
|
|
ip6tables almost identical to iptables
|
|
no connection tracking in mainline yet, but patches exist
|
|
ip6_conntrack
|
|
initial copy+paste 'port' by USAGI
|
|
was not accepted because of code duplication
|
|
nf_conntrack
|
|
generalized connection tracking, supports ipv4 and ipv6
|
|
mutually exclusive with ip_conntrack
|
|
as of now, no ipv4 nat on to of nf_conntrack
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
netfilter/iptables tutorial
|
|
Thanks
|
|
|
|
Thanks to
|
|
the BBS scene, Z-Netz, FIDO, ...
|
|
for heavily increasing my computer usage in 1992
|
|
KNF (http://www.franken.de/)
|
|
for bringing me in touch with the internet as early as 1994
|
|
for providing a playground for technical people
|
|
for telling me about the existance of Linux!
|
|
Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
|
|
for implementing (one of?) the world's best TCP/IP stacks
|
|
Paul 'Rusty' Russell
|
|
for starting the netfilter/iptables project
|
|
for trusting me to maintain it today
|
|
Astaro AG
|
|
for sponsoring parts of my netfilter work
|