Mastering_iptables - LXF14.pro_tutip 10:34 am Page 82 IPTables INTERNET SECURITY Mastering IPTables Security chief David Coulson shows you how

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon 82 LXF14 MAY 2001 Tutorial Professional IPTables INTERNET SECURITY W hen Linux 2.4 was released, most people focused on what it would do to help the average Linux user and talked about the USB support, firewire, PCMCIA and DRI. While these are great additions to the kernel for the majority of people, often one of the major improvements over 2.2 was overlooked, even though it applies almost as much to Joe (and of course Jane) User as it does to a hardened network engineer. This is, of course, the inclusion of the ‘netfilter’ system into the kernel, which provides packet filtering and other more advanced IP features. Along with ‘netfilter’ comes ‘iptables’, which is the 2.4 equivalent of ipchains, and provides a user-space interface to the filtering, Network Address Translation (NAT) and mangling modules. We’re going to look at building 2.4 with support for netfilter and iptables, then building a production level router out of it. For those of you who just have one machine, and use it to connect to the Internet, then many of the same rules apply. The Internet is one giant, generally unrestricted, network which any reasonable person would have reservations about putting any sort of machine on, never mind their own Linux system. Netfilter or iptables? Often when referring to the firewalling code in 2.4, it will blindly be referred to as ‘netfilter’ or ‘iptables’, without any justification for using the specific name for it and, given that they are both very different, it’s worth understanding exactly what each of them do and how we should view the organisation of the firewalling code in the kernel. Netfilter is the system compiled into the kernel which provides hooks into the IP stack which loadable modules (iptables is one) can use to perform operations on packets. As netfilter uses modules for the filtering, you can use an ipchains module to provide exactly the same capabilities as the kernel level ipchains code in 2.2, or even the module for ipfwadm from 2.0. Netfilter is there all of the time, as long as it is compiled in, whether or not you are using any firewalling modules at all. IPTables is split into two parts; The user-space tools and the kernel-space modules. The kernel-space modules are distributed with the main kernel, and you compile them as you would any other module, be it sound drivers, a filesystem or USB support. There is the main ip_tables module, as well as modules specifically for NAT, logging, connection tracking and so on. These modules perform the appropriate function on the packets which they get sent by netfilter, depending on the rules which they have in their rule-list, or chain. The user-space iptables code comes in the form of a binary called ‘iptables’, which is distributed separately from the main kernel tree, and is used to add, remove or edit rules for the modules. This is comparable to the ipchains binary in 2.2. Often, when referring to iptables, it is assumed to mean the iptables
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 02/09/2012 for the course COMPUTER S a303 taught by Professor None during the Spring '11 term at BEM Bordeaux Management School.

Page1 / 6

Mastering_iptables - LXF14.pro_tutip 10:34 am Page 82 IPTables INTERNET SECURITY Mastering IPTables Security chief David Coulson shows you how

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online