221 lines
7.1 KiB
Plaintext
221 lines
7.1 KiB
Plaintext
%include "default.mgp"
|
|
%default 1 bgrad
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
%nodefault
|
|
%back "blue"
|
|
|
|
%center
|
|
%size 7
|
|
|
|
|
|
The netfilter/iptables project
|
|
|
|
|
|
|
|
%center
|
|
%size 4
|
|
by
|
|
|
|
Harald Welte <laforge@netfilter.org>
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
The netfilter/iptables project
|
|
Contents
|
|
|
|
Introduction: Firewalls, Proxies, Packet Filters
|
|
|
|
Why a free software firewall?
|
|
|
|
What can you do with netfilter/iptables?
|
|
|
|
Who is behind the project? How to get involved?
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
The netfilter/iptables project
|
|
Introduction: Firewalls, Proxies, Packet Filters
|
|
|
|
Firewalls are security gateways between networks
|
|
|
|
Can be implemented in different ways, at different layers
|
|
|
|
Packet filters at networking layer (3)
|
|
inspect each packet and make decision based on the packet contents
|
|
traditionally don't know about connections
|
|
advantage: fast, transparent
|
|
disadvantage: filtering limited to l3 and l4 headers
|
|
|
|
Proxies at application layer (5-7)
|
|
terminate two connections (client->proxy and proxy->server)
|
|
advantage: can base decision on application protocol
|
|
disadvantage: not transparent, need application support
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
The netfilter/iptables project
|
|
Introduction: Firewalls, Proxies, Packet Filters
|
|
|
|
However, the world is not that easy anymore since new techniques are blending those two concepts
|
|
|
|
stateful packet filters
|
|
keep state about existing connections/flows
|
|
allow even state tracking beyond l4 state
|
|
thus give packet filters some features of proxies
|
|
|
|
transparent proxies
|
|
can be implemented without application support
|
|
how 'transparent' do you want to be? to the client? the server? the network?
|
|
thus give proxies some of the transparency of packet filters
|
|
|
|
In reality it is sometimes hard to tell. netfilter/iptables implements a packet filter (stateless/stateful) and some support for transparent proxying.
|
|
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
The netfilter/iptables project
|
|
History of linux packet filtering
|
|
|
|
%size 3
|
|
1994: kernel 1.2.x (BSD4.4 ipfw)
|
|
first packet filter in the linux kernel
|
|
%size 3
|
|
1995: kernel 2.0.x (ipfwadm)
|
|
enhanced version of the old ipfw
|
|
first support for masquerading
|
|
%size 3
|
|
1997: kernel 2.2.x (ipchains)
|
|
enhanced version of ipfwadm
|
|
support for multiple lists of rules (chains)
|
|
support for transparent proxying
|
|
masquerading helpers for ftp/irc/quake/...
|
|
%size 3
|
|
2000: kernel 2.4.x (iptables)
|
|
totally new implementation (based on netfilter API)
|
|
allows for multiple tables (which each have multiple chains)
|
|
first support for stateful packet filtering
|
|
support for fully symmetric NAT (SNAT/DNAT/...)
|
|
%size 3
|
|
2003: kernel 2.6.0-testX (iptables)
|
|
breaking a tradition: no new packet filter (not yet...)
|
|
support for non-linear skb's (zerocopy TCP path)
|
|
%size 3
|
|
2003/4: kernel 2.7.x and later 2.6.x backport (pkttables)
|
|
totally new implementation
|
|
layer 3 independent packet filtering framework
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
The netfilter/iptables project
|
|
Why a free software firewall?
|
|
|
|
Tradition
|
|
The internet was builton free/open standards and software
|
|
Code Quality
|
|
Security relevant open sourcecode gets more auditing because more people read it (and thus report/fix bugs)
|
|
Trust
|
|
Users can have more trust in FOSS, since they can check for hidden backdoors
|
|
Public infrastructure
|
|
Packet Filters (like routers) are core infrastructure of the internet.
|
|
Infrastructure should be open/free for the public, just like roads.
|
|
Arguments against proprietary software in infrastructure
|
|
What if the vendor of your product goes bankrupt?
|
|
Users are dependent on 'upgrade pressure' and future license changes
|
|
No possibility to adopt new standards if Vendor has no interest
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
The netfilter/iptables project
|
|
What can you do using netfilter/iptables?
|
|
|
|
stateless packet filtering
|
|
provides matches for almost any criteria in the universe
|
|
stateful packet filtering (using connection tracking)
|
|
keeps state table about all ongoing connections
|
|
currently supports TCP/UDP/ICMP/GRE
|
|
currently supports l5+ helpers for ftp,irc,pptp,h323,talk,mms,tftp,...
|
|
network address translation
|
|
stateful, based on connection tracking
|
|
source NAT / Masquerading
|
|
destination NAT / redirect
|
|
1:1 nat of whole networks (NETMAP)
|
|
packet mangling
|
|
clamp TCP MSS to PMTU for broken PMTU discovery
|
|
manipulate packet header (TTL, ECN, DSCP, ...)
|
|
combine with policy routing / traffic shaping
|
|
stateless IPv6 packet filtering (ip6tables)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
HA for netfillter/iptables
|
|
Who is behind netfilter/iptables?
|
|
|
|
Project started by Paul 'Rusty' Russell
|
|
Coreteam
|
|
Rusty, Marc Boucher, James Morris, Harald Welte, Jozsef Kadlecsik, Martin Josefsson
|
|
Elects a head of coreteam
|
|
Countless contributions from hundreds of people all over the world
|
|
In the past we had a scoreboard to keep track of the contributions
|
|
|
|
We are always in lack of volunteers, even for listadmin/webmaster/...
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
The netfilter/iptables project
|
|
How to get involved?
|
|
|
|
Internet services:
|
|
Homepage - http://www.netfilter.org/
|
|
FTP Server - ftp://ftp.netfilter.org/
|
|
rsync server - rsync.netfilter.org
|
|
CVS server - pserver.netfilter.org
|
|
Bugzilla - http://bugzilla.netfilter.org/
|
|
CVSweb - http://cvs.netfilter.org/
|
|
Mailinglist - http://lists.netfilter.org/
|
|
Anybody can contribute, code has to be GPL licensed
|
|
Development discussion at netfilter-devel@lists.netfilter.org
|
|
User questions at netfilter@lists.netfilter.org
|
|
Security relevant issues at coreteam@netfilter.org
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
The netfilter/iptables project
|
|
Areas of current development
|
|
|
|
pkttables (kernel part, pkttnetlink, libpkttnetlink, libpkttables)
|
|
make ULOG and ip_queue l3 independent (and move to nfnetlink)
|
|
optimizing connection tracking SMP performance
|
|
conntrack: support for more protocols (SCTP,...)
|
|
nf-hipac: highly optimized packet matching engine
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
The netfilter/iptables project
|
|
Thanks
|
|
|
|
%size 4
|
|
The slides of this presentation are available at http://www.gnumonks.org/
|
|
Visit the netfilter homepage http://www.netfilter.org/
|
|
Thanks to
|
|
the BBS people, Z-Netz, FIDO, ...
|
|
for heavily increasing my computer usage in 1992
|
|
KNF (http://www.franken.de/)
|
|
for bringing me in touch with the internet as early as 1994
|
|
for providing a playground for technical people
|
|
for telling me about the existance of Linux!
|
|
Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
|
|
for implementing (one of?) the world's best TCP/IP stacks
|
|
Paul 'Rusty' Russell
|
|
for starting the netfilter/iptables project
|
|
for trusting me to maintain it today
|
|
Astaro AG
|
|
for sponsoring most of my current netfilter work
|
|
|