[sheflug] A bit about iptables Re: Help with broadband

[Lesley Binks <lesley.binks [at] xxxxxxxxx>]

David Willington wrote:
<snip>
>>> Your router will be doing a lot of firewalling for you, but you might 
>>> want to look at learning iptables so that you can set up your own 
>>> firewall, or products like SmoothWall ( http://smoothwall.org/ ) for 
>>> an idea of what's available doing the same thing with a GUI attached.
>> I thought I set up iptables when I installed fedora core 2???  It 
>> appeared to be quite easy.  Just answered some questions about what I 
>> would be doing with my machine.
> You quite probably did enable iptables. I think Lesley's talking about
>  configuring them beyond the default configuration. They provide a much
>  finer control over the traffic to and from your machine than the
>   router does, but (from my experience of them) you do need to have a
>  reasonable understanding of the details of how networks handle the
>  traffic on them.

Well, yes you can get under the hood of iptables and it can be useful to 
do so, especially if you want to divert from the standard settings.  I 
have no clue about Fedora's default settings, but the default config I 
use for my SuSE machine means that I have to alter it to allow 
communication between machines on my LAN.

It does mean a little work understanding the different protocols that 
you'll see, things like TCP, UDP and ICMP, but about the most difficult 
of that is understanding that TCP is a handshake protocol so you can 
determine directions of TCP/IP connections at start of connection.  This 
is called stateful packet filtering.

The next part of it is to understand how a packet passes through the 
system i.e.  how that request for a web page gets broken down into 
TCP/IP packets and what paths packets may take.  This helps understand 
why the different mangle, nat and filter tables exist.  Ethereal is a 
useful tool for looking at what's on your network card.

The netfilter howto is a good place to start with iptables, as is the 
book Linux Firewalls.  Neither are an easy read and took me a few goes 
of reading them and then reading around them.  I think I really started 
getting the hang of them in SuSE 8.2 i.e. it took me a whole version 
life of 7.3 to muck things up a bit before I started getting proper 
sense out of it all in 8.2.  My edition of Linux Firewalls uses the 
previous ipchains but the principles still apply.   Iptables and 
previously ipchains on Linux and pf on BSD systems are all packet filters.

All they do is filter packets.  pf works slightly differently to 
iptables but with iptables you can specify a default policy for the 
table and anything that does not match a rule on that table has the 
default policy applied to it - typically that it's dropped.  This way 
you operate a whitelist of what packets come in and what go out and where.

Detecting the application using the connection requires a kernel patch.

Regards

L.

___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.