DOCSLIB.ORG

Iptables Tutorial 1.2.2

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Iptables Tutorial 1.2.2 Iptables Tutorial 1.2.2 Oskar Andreasson [email protected] Iptables Tutorial 1.2.2 by Oskar Andreasson Copyright © 2001-2006 Oskar Andreasson Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1; with the Invariant Sections being "Introduction" and all sub-sections, with the Front-Cover Texts being "Original Author: Oskar Andreasson", and with no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". All scripts in this tutorial are covered by the GNU General Public License. The scripts are free source; you can redistribute them and/or modify them under the terms of the GNU General Public License as published by the Free Software Foundation, version 2 of the License. These scripts are distributed in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License within this tutorial, under the section entitled "GNU General Public License"; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Dedications I would like to dedicate this document to my wonderful sister, niece and brother-in-law for giving me inspiration and feedback. They are a source of joy and a ray of light when I have need of it. Thank you! A special word should also be extended to Ninel for always encouraging my writing and for taking care of me when I needed it the most. Thank you! Second of all, I would like to dedicate this work to all of the incredibly hard working Linux developers and maintainers. It is people like those who make this wonderful operating system possible. 3 Table of Contents About the author............................................................................... xiv How to read ....................................................................................... xvi Prerequisites................................................................................... xviii Conventions used in this document............................................... xix 1. Introduction...................................................................................... 1 Why this document was written .................................................... 1 How it was written ......................................................................... 1 Terms used in this document ........................................................ 2 What’s next? ................................................................................. 4 2. TCP/IP repetition.............................................................................. 5 TCP/IP Layers............................................................................... 5 IP characteristics .......................................................................... 9 IP headers .................................................................................. 12 TCP characteristics..................................................................... 17 TCP headers............................................................................... 18 UDP characteristics .................................................................... 21 UDP headers .............................................................................. 22 ICMP characteristics................................................................... 23 ICMP headers............................................................................. 24 ICMP Echo Request/Reply ................................................ 25 ICMP Destination Unreachable .......................................... 26 Source Quench .................................................................. 28 Redirect.............................................................................. 29 TTL equals 0 ...................................................................... 30 Parameter problem............................................................. 31 Timestamp request/reply.................................................... 31 Information request/reply ................................................... 32 SCTP Characteristics ................................................................. 33 Initialization and association .............................................. 35 Data sending and control session ...................................... 35 Shutdown and abort ........................................................... 35 SCTP Headers............................................................................ 36 SCTP Generic header format............................................. 36 iv SCTP Common and generic headers ................................ 37 SCTP ABORT chunk.......................................................... 40 SCTP COOKIE ACK chunk................................................ 41 SCTP COOKIE ECHO chunk............................................. 41 SCTP DATA chunk ............................................................. 42 SCTP ERROR chunk ......................................................... 44 SCTP HEARTBEAT chunk ................................................. 45 SCTP HEARTBEAT ACK chunk......................................... 46 SCTP INIT chunk ............................................................... 46 SCTP INIT ACK chunk....................................................... 50 SCTP SACK chunk ............................................................ 52 SCTP SHUTDOWN chunk................................................. 55 SCTP SHUTDOWN ACK chunk......................................... 56 SCTP SHUTDOWN COMPLETE chunk ............................ 56 TCP/IP destination driven routing ............................................... 57 What’s next? ............................................................................... 58 3. IP filtering introduction................................................................. 59 What is an IP filter....................................................................... 59 IP filtering terms and expressions............................................... 61 How to plan an IP filter................................................................ 64 What’s next? ............................................................................... 68 4. Network Address Translation Introduction................................. 69 What NAT is used for and basic terms and expressions............. 69 Caveats using NAT ..................................................................... 71 Example NAT machine in theory................................................. 72 What is needed to build a NAT machine ............................ 72 Placement of NAT machines .............................................. 74 How to place proxies .......................................................... 74 The final stage of our NAT machine ................................... 75 What’s next? ............................................................................... 77 5. Preparations................................................................................... 79 Where to get iptables .................................................................. 79 Kernel setup................................................................................ 79 User-land setup .......................................................................... 84 Compiling the user-land applications ................................. 85 Installation on Red Hat 7.1................................................. 87 v What’s next? ............................................................................... 90 6. Traversing of tables and chains ................................................... 92 General ....................................................................................... 92 Mangle table ............................................................................... 99 Nat table.................................................................................... 101 Raw table .................................................................................. 102 Filter table ................................................................................. 102 User specified chains................................................................ 103 What’s next? ............................................................................. 105 7. The state machine ....................................................................... 106 Introduction ............................................................................... 106 The conntrack entries ............................................................... 107 User-land states........................................................................ 109 TCP connections ...................................................................... 112 UDP connections ...................................................................... 117 ICMP connections..................................................................... 119 Default connections .................................................................. 123 Untracked connections and the raw table ................................. 124 Complex protocols and connection tracking ............................. 125 What’s next? ............................................................................
Load more

Recommended publications
  • Computer Security Administration
    Information Security Group Information + Technology Services University of Toronto Endpoint Security Policy System A Network Access Control System with Vulnerability Detection and User Remediation Evgueni Martynov UNIX Systems Group Mike Wiseman Computer Security Administration Endpoint Security Policy System Table of Contents Acknowledgements............................................................................. 3 Change History .................................................................................... 4 Summary ............................................................................................. 5 Overview .............................................................................................. 5 Network Isolation ............................................................................... 6 Vulnerability Detection ....................................................................... 6 User Remediation ................................................................................ 8 Administering ESP ............................................................................... 8 ESP Operations Experience ................................................................ 9 Appendix I – Installation and Configuration of ESP server ........... 10 Using init.sh ..................................................................................... 10 Post-Installation ................................................................................ 11 Configuring an ESP Server to Work with an ESP Agent .......................
    [Show full text]
  • Hostscan 4.8.01064 Antimalware and Firewall Support Charts
    HostScan 4.8.01064 Antimalware and Firewall Support Charts 10/1/19 © 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco public. Page 1 of 76 Contents HostScan Version 4.8.01064 Antimalware and Firewall Support Charts ............................................................................... 3 Antimalware and Firewall Attributes Supported by HostScan .................................................................................................. 3 OPSWAT Version Information ................................................................................................................................................. 5 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.890.0 for Windows .................................................. 5 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.890.0 for Windows ........................................................ 44 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.824.0 for macos .................................................... 65 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.824.0 for macOS ........................................................... 71 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.730.0 for Linux ...................................................... 73 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.730.0 for Linux .............................................................. 76 ©201 9 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
    [Show full text]
  • Lecture 11 Firewalls
    BSc in Telecommunications Engineering TEL3214 Computer Communication Networks Lecture 11 Firewalls Eng Diarmuid O'Briain, CEng, CISSP 11-2 TEL3214 - Computer Communication Networks Copyright © 2017 Diarmuid Ó Briain Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back- Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". TEL3214 Firewalls 09 May 2017 TEL3214 - Computer Communication Networks 11-3 Table of Contents 1. AN INTRODUCTION TO FIREWALLS........................................................................................................................5 2. THE DIGITAL SECURITY PROBLEM...........................................................................................................................5 2.1 HOME......................................................................................................................................................................5 2.2 ENTERPRISE...............................................................................................................................................................6 2.3 ROAMING INDIVIDUAL.................................................................................................................................................6 2.4 PERIMETER DEFENCE AND FIREWALLS.............................................................................................................................6
    [Show full text]
  • Comodo Korugan UTM Security Target Lite
    Comodo Yazılım A.Ş. Tasnif Dışı/Unclassified Comodo Korugan UTM Security Target Lite Comodo Yazılım A.Ş. Comodo Korugan UTM 1.10 Security Target Lite COMODO YAZILIM A.Ş. The copyright and design right in this document are vested in Comodo Yazılım A.Ş. and the document is supplied to you for a limited purpose and only in connection with this project. No information as to the contents or the subject matter of this document or any part thereof shall be communicated in any manner to any third party without the prior consent in writing of Comodo Yazılım A.Ş. Copyright © Comodo Yazılım A.Ş., 2014-2017 Comodo Yazılım A.Ş. 1 / 48 Author: Onur Özardıç Comodo Yazılım A.Ş. Tasnif Dışı/Unclassified Comodo Korugan UTM Security Target Lite List of Tables Table 1 ST and TOE References ........................................................................................ 6 Table 2 Functional features of TOE ..................................................................................... 8 Table 3 Major Security Features of TOE ............................................................................. 8 Table 4 Assets using TOE resources .................................................................................15 Table 5 Threats addressed by TOE only ............................................................................16 Table 6 Threats met by TOE and TOE Security Environment ............................................16 Table 7 Threats Addressed by TOE Security Environment .................................................16 Table
    [Show full text]
  • Pipenightdreams Osgcal-Doc Mumudvb Mpg123-Alsa Tbb
    pipenightdreams osgcal-doc mumudvb mpg123-alsa tbb-examples libgammu4-dbg gcc-4.1-doc snort-rules-default davical cutmp3 libevolution5.0-cil aspell-am python-gobject-doc openoffice.org-l10n-mn libc6-xen xserver-xorg trophy-data t38modem pioneers-console libnb-platform10-java libgtkglext1-ruby libboost-wave1.39-dev drgenius bfbtester libchromexvmcpro1 isdnutils-xtools ubuntuone-client openoffice.org2-math openoffice.org-l10n-lt lsb-cxx-ia32 kdeartwork-emoticons-kde4 wmpuzzle trafshow python-plplot lx-gdb link-monitor-applet libscm-dev liblog-agent-logger-perl libccrtp-doc libclass-throwable-perl kde-i18n-csb jack-jconv hamradio-menus coinor-libvol-doc msx-emulator bitbake nabi language-pack-gnome-zh libpaperg popularity-contest xracer-tools xfont-nexus opendrim-lmp-baseserver libvorbisfile-ruby liblinebreak-doc libgfcui-2.0-0c2a-dbg libblacs-mpi-dev dict-freedict-spa-eng blender-ogrexml aspell-da x11-apps openoffice.org-l10n-lv openoffice.org-l10n-nl pnmtopng libodbcinstq1 libhsqldb-java-doc libmono-addins-gui0.2-cil sg3-utils linux-backports-modules-alsa-2.6.31-19-generic yorick-yeti-gsl python-pymssql plasma-widget-cpuload mcpp gpsim-lcd cl-csv libhtml-clean-perl asterisk-dbg apt-dater-dbg libgnome-mag1-dev language-pack-gnome-yo python-crypto svn-autoreleasedeb sugar-terminal-activity mii-diag maria-doc libplexus-component-api-java-doc libhugs-hgl-bundled libchipcard-libgwenhywfar47-plugins libghc6-random-dev freefem3d ezmlm cakephp-scripts aspell-ar ara-byte not+sparc openoffice.org-l10n-nn linux-backports-modules-karmic-generic-pae
    [Show full text]
  • Iptables Tutorial 1.2.2
    Iptables Tutorial 1.2.2 Oskar Andreasson [email protected] Marc Blanc [email protected] Publié par : Philippe Latu philippe.latu(at)inetdoc.net http://www.inetdoc.net Dédicaces Je voudrais dédier ce document à ma merveilleuse soeur pour m'avoir inspiré et donné ses conseils en retour. Elle est une source de joie et un rayon de soleil quand j'ai besoin d'elle. Merci ! Un mot particulier pour Ninel pour m'avoir toujours encouragé dans mon travail et avoir pris soin de moi quand j'en avais le plus besoin. Merci ! Ensuite, j'aimerais dédicacer ce travail à tous les courageux développeurs et mainteneurs de Linux. Ce sont eux qui font exister ce fabuleux système d'exploitation. Iptables Tutorial 1.2.2 i Table des matières À propos de l'auteur .............................................................................................................................. vii Exploration de ce document .................................................................................................................. viii Préalables ............................................................................................................................................... ix Conventions utilisées dans ce document .................................................................................................. x 1. Introduction ......................................................................................................................................... 1 1.1. Motivations ..............................................................................................................................
    [Show full text]
  • The Book of PF Covers the Most • Stay in Control of Your Traffic with Monitoring and Up-To-Date Developments in PF, Including New Content PETER N.M
    EDITION3RD BUILD A Covers OpenBSD 5.6, MORE SECURE FreeBSD 10.x, and NETWORK EDITION NETWORK 3RD NetBSD 6.x WITH PF THETHE BOOKBOOK THE BOOK OF PF OF THE BOOK THE BOOK OF PF OF THE BOOK OFOF PFPF OpenBSD’s stateful packet filter, PF, is the heart of • Build adaptive firewalls to proactively defend against A GUIDE TO THE the OpenBSD firewall. With more and more services attackers and spammers NO-NONSENSE placing high demands on bandwidth and an increas- OPENBSD FIREWALL • Harness OpenBSD’s latest traffic-shaping system ingly hostile Internet environment, no sysadmin can to keep your network responsive, and convert your afford to be without PF expertise. existing ALTQ configurations to the new system The third edition of The Book of PF covers the most • Stay in control of your traffic with monitoring and up-to-date developments in PF, including new content PETER N.M. HANSTEEN visualization tools (including NetFlow) on IPv6, dual stack configurations, the “queues and priorities” traffic-shaping system, NAT and redirection, The Book of PF is the essential guide to building a secure wireless networking, spam fighting, failover provision- network with PF. With a little effort and this book, you’ll ing, logging, and more. be well prepared to unlock PF’s full potential. You’ll also learn how to: ABOUT THE AUTHOR • Create rule sets for all kinds of network traffic, whether Peter N.M. Hansteen is a consultant, writer, and crossing a simple LAN, hiding behind NAT, traversing sysadmin based in Bergen, Norway. A longtime DMZs, or spanning bridges or wider networks Freenix advocate, Hansteen is a frequent lecturer on OpenBSD and FreeBSD topics, an occasional • Set up wireless networks with access points, and contributor to BSD Magazine, and the author of an lock them down using authpf and special access often-slashdotted blog (http://bsdly.blogspot.com/ ).
    [Show full text]
  • Nftables Och Iptables En Jämförelse Av Latens Nftables and Iptables a Comparison in Latency
    NFtables and IPtables Jonas Svensson Eidsheim NFtables och IPtables En jämförelse av latens NFtables and IPtables A Comparison in Latency Bachelors Degree Project in Computer Science Network and Systems Administration, G2E, 22.5 hp IT604G Jonas Svensson Eidsheim [email protected] Examiner Jonas Gamalielsson Supervisor Johan Zaxmy Abstract Firewalls are one of the essential tools to secure any network. IPtables has been the de facto firewall in all Linux systems, and the developers behind IPtables are also responsible for its intended replacement, NFtables. Both IPtables and NFtables are firewalls developed to filter packets. Some services are heavily dependent on low latency transport of packets, such as VoIP, cloud gaming, storage area networks and stock trading. This work is aiming to compare the latency between the selected firewalls while under generated network load. The network traffic is generated by iPerf and the latency is measured by using ping. The measurement of the latency is done on ping packets between two dedicated hosts, one on either side of the firewall. The measurement was done on two configurations one with regular forwarding and another with PAT (Port Address Translation). Both configurations are measured while under network load and while not under network load. Each test is repeated ten times to increase the statistical power behind the conclusion. The results gathered in the experiment resulted in NFtables being the firewall with overall lower latency both while under network load and not under network load. Abstrakt Brandväggen är ett av de viktigaste verktygen för att säkra upp nätverk. IPtables har varit den främst använda brandväggen i alla Linux-system och utvecklarna bakom IPtables är också ansvariga för den avsedda ersättaren, NFtables.
    [Show full text]
  • Netfilter:Making Large Iptables Rulesets Scale
    Netfilter:Netfilter: MakingMaking largelarge iptablesiptables rulesetsrulesets scalescale Netfilter Developers Workshop 2008 d.1/10-2008 by Jesper Dangaard Brouer <[email protected]> Master of Computer Science ComX Networks A/S Who am I Name: Jesper Dangaard Brouer Edu: Computer Science for Uni. Copenhagen Focus on Network, Dist. sys and OS Linux user since 1996, professional since 1998 Sysadm, Developer, Embedded OpenSource projects Author of ADSL-optimizer CPAN IPTables::libiptc Patches accepted into Kernel, iproute2 and iptables Netfilter: Making large iptables rulesets scale 2/29 Physical surroundings ComX delivers fiber based solutions Our primary customers are apartment buildings but with end-user relation Ring based network topology with POPs (Point Of Presence) POPs have fiber strings to apartment buildings CPE box in apartment performs service separation into VLANs Netfilter: Making large iptables rulesets scale 3/29 The Linux box The iptables box(es), this talk is all about placed at each POP (near the core routers) high-end server PC, with only two netcards Internet traffic: from several apartment buildings, layer2 terminated via VLANs on one netcard, routed out the other. Cost efficient but needs to scale to a large number of customers goal is to scale to 5000 customers per machine Netfilter: Making large iptables rulesets scale 4/29 Issues and limitations First generation solution was in production. business grew and customers where added; several scalability issues arose The two primary were: Routing performance reduced (20 kpps)
    [Show full text]
  • Les Systèmes D'exploitation
    Cours IN201 Année 2010-2011 Les Systèmes d’Exploitation Responsable : Bertrand Collin. Auteurs : Bertrand Collin, Marc Baudoin, Manuel Bouyer, Jérôme Gueydan, Thomas Degris, Fré- déric Loyer, Damien Mercier. École nationale supérieure de techniques avancées Copyright c Bertrand Collin 2009–2011 Ce document est mis à disposition selon les termes du contrat Creative Com- mons « Paternité - Pas d’utilisation commerciale - Partage des conditions initiales à l’identique » 2.0 France : http://creativecommons.org/licenses/by-nc-sa/2.0/fr/ Vous êtes libre : – de reproduire, distribuer et communiquer cette création au public ; – de modifier cette création. Selon les conditions suivantes : Paternité. Vous devez citer le nom de l’auteur original de la manière indiquée par l’auteur de l’œuvre ou le titulaire des droits qui vous confère cette autorisation (mais pas d’une manière qui suggérerait qu’ils vous soutiennent ou approuvent votre utilisation de l’œuvre). Pas d’utilisation commerciale. Vous n’avez pas le droit d’utiliser cette création à des fins commerciales. Partage des conditions initiales à l’identique. Si vous modifiez, transformez ou adaptez cette création, vous n’avez le droit de distribuer la création qui en résulte que sous un contrat identique à celui-ci. – À chaque réutilisation ou distribution de cette création, vous devez faire appa- raître clairement au public les conditions contractuelles de sa mise à disposition. La meilleure manière de les indiquer est un lien vers cette page Web. – Chacune de ces conditions peut être levée si vous obtenez l’autorisation du titulaire des droits sur cette œuvre. – Rien dans ce contrat ne diminue ou ne restreint le droit moral de l’auteur ou des auteurs.
    [Show full text]
  • Operating System Stability and Security Through Process Homeostasis
    Operating System Stability and Security through Process Homeostasis by Anil Buntwal Somayaji B.S., Massachusetts Institute of Technology, 1994 DISSERTATION Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy Computer Science The University of New Mexico Albuquerque, New Mexico May 2002 c 2002, Anil Buntwal Somayaji ! iii Dedication To all those system administrators who spend their days nursemaiding our computers. iv Acknowledgments Graduate school has turned out to be a long, difficult, but rewarding journey for me, and I would not have made it this far without the help of many, many people. I cannot hope to completely document how these influences have helped me grow; nevertheless, I must try and acknowledge those who have accompanied me. First, I would like to thank my committee: David Ackley, Rodney Brooks, Barney Maccabe, Margo Seltzer, and especially my advisor, Stephanie Forrest. They all had to read through a rougher manuscript than I would have liked, and had to do so under significant time pressures. They provided invaluable feedback on my ideas and experiments. Most importantly, they have been my teachers. I’m also grateful to have been part of the Adaptive Computation Group at the University of New Mexico and to have been a member of the complex adaptive systems community here in New Mexico. Fellow graduate students at UNM and colleagues at the Santa Fe Institute have shaped my thoughts and have inspired me to do my best work. I will miss all of you. The Computer Science Department at UNM has been my home for the past several years.
    [Show full text]
  • Firehol + Fireqos Reference
    FireHOL + FireQOS Reference FireHOL Team Release 2.0.0-pre7 Built 13 Apr 2014 FireHOL + FireQOS Reference Release 2.0.0-pre7 i Copyright © 2012-2014 Phil Whineray <[email protected]> Copyright © 2004, 2013-2014 Costa Tsaousis <[email protected]> FireHOL + FireQOS Reference Release 2.0.0-pre7 ii Contents 1 Introduction 1 1.1 Latest version........................................1 1.2 Who should read this manual................................1 1.3 Where to get help......................................1 1.4 Manual Organisation....................................1 1.5 Installation.........................................2 1.6 Licence...........................................2 I FireHOL3 2 Configuration 4 2.1 Getting started........................................4 2.2 Language..........................................4 2.2.1 Use of bash.....................................4 2.2.1.1 What to avoid..............................4 3 Security 6 3.1 Important Security Note..................................6 3.2 What happens when FireHOL Runs?............................6 3.3 Where to learn more....................................7 4 Troubleshooting 8 4.1 Reading log output.....................................8 FireHOL + FireQOS Reference Release 2.0.0-pre7 iii II FireQOS 11 5 Configuration 12 III FireHOL Reference 13 6 Running and Configuring 14 6.1 FireHOL program: firehol................................. 15 6.2 FireHOL configuration: firehol.conf............................ 18 6.3 control variables: firehol-variables............................. 23
    [Show full text]