The stateful inspection features are especially powerful. = Stateful=20 inspection provides the ability to track and control the flow of=20 communication passing through the filter. The ability to keep = track of=20 state and context information about a session makes rules simpler = and=20 tries to interpret higher-level protocols.
Additionally, small modules can be developed to perform = additional=20 specific functions, such as passing packets to programs in = userspace for=20 processing then reinjecting back into the normal packet flow. The = ability=20 to develop these programs in userspace reduces the level of = complexity=20 that was previously associated with having to make changes = directly at the=20 kernel level.
For example, a firewall policy (typically called "rules") may = be=20 defined to permit incoming http access to a particular host, but = deny=20 access from other hosts. The packet simply traverses the list of = rules=20 until it matches a pattern -- one that either permits it or = rejects it.
The advantages of packet filtering are that they are fast, = flexible,=20 and inexpensive. A 486 with 16 megabytes of RAM and two ethernet = cards can=20 be converted into a packet filtering firewall that can protect a = large=20 number of hosts behind it. They also typically provide a good deal = of=20 logging information which can be crucial to tracking a potential = intruder.
The advantage of packet filtering is also one of its = disadvantages. The=20 packet filter does nothing to analyize the contents of the packet = to=20 determine if there is any malicious content within it. It simply = routes=20 based on a predefined set of rules. Another disadvantage is that = it=20 operates based on the information contained in the packet header, = and can=20 make no decisions based on the user accessing the remote resource. = There=20 is no built-in authorization mechanism.
The final disadvantage is that while it's flexible, it's also = difficult=20 to maintain. Often times on networks with many hosts to protect, = the set=20 of rules become unwieldy and difficult to manage. An intimate = knowledge of=20 the underlying IP protocols must be understood in order for the = firewall=20 to be effective. A misunderstanding of how one of the protocols = work, or=20 even an inadvertant configuration change can lead to undesired=20 consequences. This is obviously an issue with any security system, = but a=20 misconfiguration could easily go unnoticed.
As mentioned in the initial sentence, packet filtering is a = component=20 of a firewall system. For a more robust solution, combine packet = filtering=20 with an application level gateway program such as squid.
The packet filtering in 2.2 kernels provided the ability to = limit spoofed packets from entering the network. = Packets=20 originating on the internal network should not appear to be = entering the=20 external firewall interface. The 2.4 kernel expands on this = support by=20 providing an 'unclean' extension that checks for such suspicious = packets,=20 as well as other types of malformed or non-standard packets, and = sends=20 them to the bit bucket.
In previous versions of the packet filtering code, it was only = possible=20 to determine whether the SYN flag was set, indicating whether or = not the=20 packet was an established connection or the beginning of a new = connection.
The new packet filtering code allows you to filter on specific =
flags, not just the SYN flag. This permits a much greater level of =
over the packets that can enter or leave your network. For =
examine all six TCP flags, checking specifically for the SYN and =
to be set:
# iptables -A INPUT -p tcp =
--tcp-flags ALL SYN,ACK -j DROP
Additionally, it is also possible to filter on MAC address. =
This is used for matching incoming packet's source Ethernet (MAC) =
The ability to match TCP or UDP packets based on a series of = source or=20 destination ports is also now available. Previously, a rule could = only=20 match a single range of ports. This might be used to set up a = filter to=20 block telnet, ftp, and finger, for example:
# iptables -A input -t DENY -p tcp =
Finally, no longer do return packets appear to be destined=20
for the server itself on input filtering and appear to be =
the server itself on output filtering.
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 \ -d 192.168.1.1 -p tcp --dport 80 -j DNAT \ --to 192.168.1.100The iptables extended packet matching modules supply=20 additional capabilities in the form of shared library add-ons and = small=20 kernel modules that provide additional functionality.=20
This connection tracking mechanism provides the ability to = associate=20 all the packets of a particular connection with each other. = Stateful=20 inspection attempts to interpret the higher level protocols such = as NFS,=20 http and ftp. The behavior of the firewall changes based on the=20 information contained in the packet. If the packet contains = information in=20 the header that indicates it is part of an existing connection, = and it=20 matches a rule that states it's a permissable service, then it is=20 permitted to pass through the firewall.
Previous implementations had no way of knowing if a particular=20 connection to one of those ports were associated with a legitimate = connection or was an arbitrary connection, as would be the case = with a=20 port scan or malicious hack attempt.
This greatly increases the overall security of the hosts behind = it and=20 is a component of nearly every major commercial firewall = implementation.
At the same time, it also greatly reduces the window of = opportunity for=20 blackhats to attempt to pass malicious packets through the = firewall,=20 despite the source and destination ports and addresses being = known. This=20 allows only packets that are recognised as being part of an = established=20 connection to pass, instead of previously only depending on = destination=20 address and port. This also helps to thwart an attacker's attempt = at using=20 packets with modified headers that would have previously subverted = a=20 stateless packet filtering firewall.
Rules can now be created to base their routing decision on one = of the=20 following states:=20
# iptables -A FORWARD -j ACCEPT -m = state \ -state ESTABLISHED,RELATEDWhile stateful inspection provides much better performance=20 than an application gateway such as squid, and also increases the = level of=20 protection over a simple packet filter, they can be as deceptively = difficult to set up and maintain. It also may potentially require = more=20 memory to store the state information than a standard packet = filter. Also,=20 unlike application gateways such as squid, a direct connection is = still=20 made with the internal hosts which are being protected, exposing = them to=20 the exploitable weaknesses present on that host.
The 2.4 kernel packet filtering now supports a one-to-one, =
and even many-to-many IP address and port translation. In the =
case, an internal address may be translated into one that is =
on the Internet. Previously, this may have been done using =
# ipchains -A forward -j MASQ -s =
192.168.1.0/24 -d 0/0
While the masquerading support is still functionally equivalent = to its=20 predecessors, additional forms of address translation are now = available.=20 The new packet mangling code provides additional forms of = translation=20 including the ability to translate the source or destination = addresses of=20 a packet, the ports associated with the connection, port = forwarding and=20 transparent proxying. Suddenly, with the addition of this improved = NAT,=20 load-balancing, fault-tolerance and even high-availability become=20 obtainable. Specifically, the following new NAT options are = available:=20
So, to develop a simple and inexpensive load balanacing =
might use the following to have your firewall redirect some of the =
to each of the web servers at 192.168.1.100, 192.168.1.101 and=20
192.168.1.102, as follows:
# Modify destination addresses to 192.168.1.100,=20
# 192.168.1.101, or 192.168.1.102
# iptables -t nat -A POSTROUTING -i eth1 -j DNAT \
Other modules exist to do application-specific address=20
translation and extensive documentation exists on how to write =
|Contact Us | Legal=20
Notice | About Our=20
=A9 Guardian = Digital, Inc.,=20 2000