[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[sheflug] A bit about iptables Re: Help with broadband
David Willington wrote:
<snip>
>>> Your router will be doing a lot of firewalling for you, but you might
>>> want to look at learning iptables so that you can set up your own
>>> firewall, or products like SmoothWall ( http://smoothwall.org/ ) for
>>> an idea of what's available doing the same thing with a GUI attached.
>> I thought I set up iptables when I installed fedora core 2??? It
>> appeared to be quite easy. Just answered some questions about what I
>> would be doing with my machine.
> You quite probably did enable iptables. I think Lesley's talking about
> configuring them beyond the default configuration. They provide a much
> finer control over the traffic to and from your machine than the
> router does, but (from my experience of them) you do need to have a
> reasonable understanding of the details of how networks handle the
> traffic on them.
Well, yes you can get under the hood of iptables and it can be useful to
do so, especially if you want to divert from the standard settings. I
have no clue about Fedora's default settings, but the default config I
use for my SuSE machine means that I have to alter it to allow
communication between machines on my LAN.
It does mean a little work understanding the different protocols that
you'll see, things like TCP, UDP and ICMP, but about the most difficult
of that is understanding that TCP is a handshake protocol so you can
determine directions of TCP/IP connections at start of connection. This
is called stateful packet filtering.
The next part of it is to understand how a packet passes through the
system i.e. how that request for a web page gets broken down into
TCP/IP packets and what paths packets may take. This helps understand
why the different mangle, nat and filter tables exist. Ethereal is a
useful tool for looking at what's on your network card.
The netfilter howto is a good place to start with iptables, as is the
book Linux Firewalls. Neither are an easy read and took me a few goes
of reading them and then reading around them. I think I really started
getting the hang of them in SuSE 8.2 i.e. it took me a whole version
life of 7.3 to muck things up a bit before I started getting proper
sense out of it all in 8.2. My edition of Linux Firewalls uses the
previous ipchains but the principles still apply. Iptables and
previously ipchains on Linux and pf on BSD systems are all packet filters.
All they do is filter packets. pf works slightly differently to
iptables but with iptables you can specify a default policy for the
table and anything that does not match a rule on that table has the
default policy applied to it - typically that it's dropped. This way
you operate a whitelist of what packets come in and what go out and where.
Detecting the application using the connection requires a kernel patch.
Regards
L.
___________________________________________________________________
Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html
GNU the choice of a complete generation.