Why iptables (Linux 2.4 Firewalling) Rocks

Jay writes: "There's a story on Linux 2.4's new Stateful firewalling. Rusty and friends have vastly improved Linux capabilities, allowing it to filter against many stealth scans and DoS attacks. Their code rewrite brings powerful "stateful" firewalling that was originally impossible under Linux. The muchly improved packet mangling allows not only better transparent proxies, but load-sharing clusters and stuff. Actually, the coolest thing about the new architecture is that it's designed so anybody can add filtering methods, for stuff like rate limiting and MAC address-based filtering."

Transparent Proxies aren't such a Good Thing

[mnot]

Inserting a proxy when the client doesn't have knowledge isn't something to be proud of; it breaks browsers, violates the end-to-end principle at the IP layer, and brings some serious privacy/data integrity problems to light.

Re:MAC filters

[crow]

This just requires that the person inside your building be a little smarter. MAC addresses can be changed, so all that is required is to wait until a trusted box goes offline, and then just borrow its MAC address.

Of course, this eliminates a good portion of those who would try to hack in. Just don't rely on it to be fool-proof.

I was always tempted to use a laptop running Linux to spoof one of the main campus Unix systems at Dartmouth when it went down for backups, but never did. (I think they had some public systems on the same subnet as the machine room.)

Stateful firewalling.

[fantom_winter]

This sounds like a very interesting idea, but it also makes me wonder about the computational resources a system like this would require, as well as the complexity of the grammar that represents it.

As it stands now (or previously... in ipchains), rules were defined in a way that could be reduced to a regular expression, which as everyone knows are fast and don't require a stack to interpret.

However, as soon as you introduce "state" into a grammar, you require of yourself a stack, which means that additional memory is going to be needed to store these values to aid in parsing the grammar.

This doesn't sound too bad, even though it may slow the process of packet interpretation, but it seems like there still would be a signifigant performance hit on busy servers.

Also, since these rules have state, I wonder if there will be ways send packets that will cause something similar to a stack overflow (infinite recursion) by sending it a quasi-infite series of packets.

(Imaging sending a C++ compiler the following ..

[I can't send what I want, a string of open parens, so this will have to suffice. /. lameness filter]

String= (*

Eventually there will be a stack overflow from all the parens.

Re:Stateful firewalling.

How important the computational time is will depend upon how fast it has to be. If you're firewalling a 1Mbps Internet link, there are many nanoseconds between packets. With 1KB per packet, there are only 100 packets per second at most (1Mbps/1Kbps/10bits-per-byte). Not much computer time is needed for this type of processing.

(anonymous to avoid giving info about my network)

Re:iptables/ipchains syntax

[greebly]

I think I can sum up the one and only advantage (if you can call it that) that iptables has over ipf (aka ipfilter) in one short sentence...

You can run iptables in Linux.

Linux has its uses, don't get me wrong, but I'll take an OpenBSD firewall over any Linux firewall, regardless of which distro, or firewalling software it runs. The TCP stack in the BSDs is much more robust than the Linux stack, and its just plain faster.

Don't belive me? That's fine, but don't go flaming me unless you have actually used both Linux and *BSD firewalls extensively.


9 little greeblys sitting on a plate...

Why it really rocks!

[Ex+Machina]

/usr/local/bin/iptables -A OUTPUT -d 209.242.124.241 -j REJECT It makes reading slashdot so much easier on the eyes. (Don't click!)

Re:MAC filters

[Cato]

The real solution to open ethernet ports is to use authenticated VLANs - require the workstation user to authenticate before being put into a suitable VLAN, and just ignore the MAC address.

Iptables, user-space queueing, and reiserfs

[bobv-pillars-net]

I needed to block a list of thousands of ip addresses at the firewall. Here's how I did it:

First, I read the sample code for how to implement user-space queueing. That's where you pass a packet to a user-space program so it can decide what to do with it. Then I made some trivial changes to that program so that it looks for a file in a certain directory with a name equal to the IP address in the packet header.

If the file exists (i.e. an open() call succeeds), then the packet is denied; otherwise it is allowed. Anytime I want to add a new IP address to the blocking list, I just create a file in that directory. Since I run reiserfs, the test for file existence is as efficient as a hashtable lookup, but much simpler to code.

Not as sophisticated as a commercial firewall program, but not as much overhead, either. (Simplistic) benchmarks show no significant increase in network latency. Works for me!

Re:A Question -- Can it allow Win2k VPN?

[PhilBrut]

You're getting bit by the fact that there's more to MS PPTP than meets the eye - the tunnel itself is actually a GRE tunnel with some funky MS-proprietary encryption, with a control connection at 1723/tcp (or something like that).

It can be done, but a 2.2 kernel needs to be patched to do it. I've not tried it, but the 2.4 kernel should allow you to "port-forward" the tcp connection and the GRE tunnel back to the Win2k system.

Just keep in mind that there's no connection tracking, so it has to be the same Windows system making the VPN each and every time, and one and only one VPN can be going at any one time.

Re:I'm sure iptables is great and wonderful, but..

[Majix]

Try out Firestarter (Disclaimer: I wrote the program, so I'm biased). Supports both ipchains and netfilter, several nics, NAT/Masq, ToS/ICMP filtering etc.

I, just like you, got really tired of editing scripts all day long, the end result is this GNOME program. First the program presents a wizard for quickly setting up a firewall, then you can monitor the firewall hits you get and close/open/stealth ports with just a few clicks. Easy of use was the goal with this program.

Re:I Can Hear It Now

[bugg]

Ok, I am the AC that had the original post WRT this topic that's since been moderated up to 4: Informative (I post regurarly, it gets moderated down, I post AC, it goes up. Who woulda thunk it?) and perhaps I'm being misunderstood.

Yes, it's a good thing. Congratulations Linux folks, I'm sure you did a good job, having stateful firewalls are handy for everyone to have. I don't mean to say the typical "we've had this for X years"

My issue was, and still is, mainly with the slashdot title. Why it rocks. It doesn't generally rock, it just rocks compared to the implementation in Linux 2.2.

Now, if the article had been "Why it's a great improvement over 2.2" that would have been great, and I would have continued on my day. But the fact that the title makes it seem revolutionary, when it's actually quite evolutionary, made me step up to the plate.

What rocks? Stateful firewalling. Does the article discuss Linux's implementation in detail, explaining why it's better than other stateful filters? No. It discusses the old and proven technique of stateful firewalling, and therefore tries to further Linux based on that alone.

Why iptables (Linux 2.4 Firewalling) Sucks

[Penico]

I was eagerly waiting for Linux 2.4 from the day I heard somewhere it would support ipfilter. I run mostly BSD boxes, due to personal preference, while still keeping a few Linux systems up and running. All systems run perfectly well and cause me little grief, if any at all.

However, once again the Linux camp is "doing things their own way" and contributing even more to the separation between different Unix flavors (as well as making those sigs that go something like "Linux - the Unix defragmentation tool" even funnier). Don't get me wrong, iptables seems to have a few cool features that are not present in ipfilter, but just why was ipfilter not used instead ? It is present in a few platforms already (runs on all BSD's, as well as Solaris / SunOS and IRIX), it is tried and tested, and it does most of the stuff iptables does. And it can probably be extended to do everything iptables does as well, with some extra work. But the Linux folks, however talented and bright they undoubtedly are, and however good a kernel they have produced, have just taken a completely silly route this time. Not only have they duplicated effort towards the same (or at least, a very similar) end, they have also created another headache for busy sysadmins who maintain a few different systems. I had high hopes on ipfilter being "officially" supported under Linux (the ipfilter code mentions sketchy support for Linux, which I have admittedly not tested, but from the looks of it it has not been maintained for a long time --- the most recent kernel mentioned in the HISTORY file is 2.0.34, the last reference to Linux appears in 1998), but now I will be forced to get rid of the only Linux box I still maintain as a server (for various reasons, none of which related to the quality of the OS --- that little box has run great for ages, and causes me no grief at all) if I ever need firewalling for it. Yes, I could learn to work with iptables (and I probably will anyway, out of curiosity), but the Linux folks could probably learn to cooperate better with the rest of the world in certain aspects. It really is a shame, because I honestly think Linux is great --- the mindset of some of it's users (and by the looks of it, some developers as well) is however a different matter...

Re:Why iptables (Linux 2.4 Firewalling) Sucks

[stripes]

However, once again the Linux camp is "doing things their own way" and contributing even more to the separation between different Unix flavors (as well as making those sigs that go something like "Linux - the Unix defragmentation tool" even funnier). Don't get me wrong, iptables seems to have a few cool features that are not present in ipfilter, but just why was ipfilter not used instead ?

Being compatable at the cost of better functionality isn't allways a good idea. Would iptable's "cool new features" have fit into the ipfilter framework? Is there some fundomental reason that iptable might be faster, or even just simpler to implment?

I don't even run Linux (three diffrent BSDs, no Linux), but I wouldn't want them to give up useful features just to stay compatable with me any more then I would want FreeBSD to adopt some else's FireWire framework if that framework could never do foo, or was boud to allways suck in some way.

In fact OpenBSD has a framework for Crypto cards. It works great for IPSEC, but poorly for other things (like cryptoFS, or userland crypto apps). If FreeBSD adopted it as is they would get half a dozen working crypto cards, bitchn' fast IPSEC. I think it would also be a giant mistake. I would rather end up with an incompatable framework that is better, then a compatable one that isn't so hot. It would be nice if the new one was very similar and could be "backported" to OpenBSD if they were so inclined...

Sometime the first implmentation isn't such a good idea, so the second should be diffrent. Or the third, or the sixtyith. That is why we run Unix-like OSes rather then TOPS-8086.

Re:Why iptables (Linux 2.4 Firewalling) Sucks

[ion++]

You seem to describe linux NOT using ipfilter, but making their own, iptables, as a bad idea.
It might not neassesarely be a bad idea.
I will write a few analogies, but basicaly my response is
Competition is good
If you buy into that, you dont have to read on, if not, please do.

Why even have Linux in the first place, we have BSD. But wait, there is 3 BSD's, (there was 4), BSDi/FreeBSD, OpenBSD and netBSD??
But BSD is just a further devellopment of earlier *nix systems (i'm not too knowledgeable of the unix history). But Unix was built on Multics, so lets keep that, or better yet, some system before that.

Why do we have xx different OS's ??
One should be enough!
Why do we have xx different webservers ??
One should be enough!
Why do we have xx different GUI's ??
One should be enough!
Why do we have xx (2) different chipmakers ??
One should be enough!
Why do we have xx harddrive makers ??
Why do we have xx monitor makers ??
[high pitched voice getting estatic]
kabinets? keyboards? cola? beer? car?
clothes? tvchannels?
[voice cramming over]
political views ??
[breating normal]
Because, competition is good
It's good having choice, not everyone likes the same, or chooses the same over something else.
Naturaly we can work together, and we should, but that doesnt mean one implementation, one manefacturer, ... is a bad idea. Multiple choices enhances life and survival (imagien living from just one sort of food, and it becomming extingt).

So, be thankfull for being able to choose, and not having the goverment, or some company choose for you. While the first is becomming less and less apparent in the world, the second is becoming more and more widespread.
And the worst part is that people doesnt seem to care :(

ion++

2.4 Linux Kernal too big for LRP!

[npendleton]

stateful firewalls = excellent... But LRP will NOT readily support 2.4 kernal size!
(LRP is the Linux Router Project at http://lrp.c0wz.com/ a kick ass firewall/router/NAT distro that needs a single floppy, 486 or better, 2 nics, and NO harddrive!)

Joshua Jackson, of the impressive www.coyotelinux.com LRP distro,
said "I wish I could move to the 2.4 kernels for Coyote, but not in the floppy version I am afraid. By the time you get all of the necessary options built into the kernel, it is roughly 350kB larger than the 2.2 kernel... in addition, the full iptables and iptroute2 package are quite a bit larger than their 2.2 equivs. The Embedded project is already running on the 2.4.0 final kernel, but it does not run from a floppy."

-Nathaniel
Bummer for the rest of us.

Remasqing Packets

[Srin+Tuar]

I am trying to find out if iptables does remasqing: Masquerading a packet with a destination back inside the masq'd LAN.

I know ipchains doesnt do this, and its been a considerable headache. Some of the things I cannot do are:

• access my port forwarded apache box from its external internet address from within the LAN; I must use its internal LAN address.
• join a battlenet game of starcraft hosted by someone on the same LAN.

I know there is a kernel patch for 2.2 that will introduce this ability, but it breaks the ipchains code's security.

Looking at the way iptables works, I think this should be possible (Port forwarding would be done before routing, and masqing done post-routing), but it is not addressed specifically anywhere that ive seen.

Anybody know?

Disclaimer: Ive asked this question before on K5, but nobody seemed to have a ready answer. Maybe the broader audience

FTP monitoring is BAD!

[bug]

For those of you not familiar with stateful firewalling, it is an incredibly good thing. I've gone from using ipfwadm to using ipchains to finally using ipfilter on BSD. Because of ipf's support of stateful filtering, my firewall rulesets were *much* simpler. Given that many (most?) problems associated with firewalls is the complexity of the configuration, this is a Very Good Thing(tm). After migrating from linux/ipchains to BSD/ipf, I was able to add serious protection for my network, including my high ports (which often run the most vulnerable services, namely RPC services). I haven't used netfilter/iptables, but it looks to be a *huge* step forward for Linux.

All that being said, I have a major problem with this article. It seems to suggest to users that FTP monitoring to handle active FTP clients is a good idea. In fact, this is a *terrible* idea. I got to watch Dug Song et al at BlackHat walk right through a CheckPoint FW1 system like it wasn't even there by exploiting some assumptions that FW1 made when monitoring FTP for the PORT commands. It sounds to me like the netfilter/iptables support for FTP functions in a very similar manner as FW1. If you must support FTP through your firewall, make your users use passive FTP. Every modern FTP client and every modern FTP server that I've seen all support passive FTP. Of course, a better approach is to encourage secure communications, like scp or SSL.

Bottom line, the best firewall design is the simplest one possible that gets the job done. Adding neato features like payload monitoring to poke extra holes in the firewall is diametrically opposite this philosophy.

Also, please remember that a firewall only serves as a method of blocking traffic between network segments. It does not magically secure network traffic from viewing, spoofing, manipulating, or hijacking (you need to use protocols that support strong authentication and strong cryptography to achieve this). It does not secure the applications or systems which you allow traffic to touch (you need to use secure OSes under secure configurations to accomplish this). It does not magically protect your systems against insider threats (you need to have good people working for you, restrictions on outside connectivity, and thorough physical security to accomplish this). Remember, crunchy on the outside and soft and gooey on the inside is great for candy, bad for networks.

Re:FTP monitoring is BAD!

[Admiral+Burrito]

If you must support FTP through your firewall, make your users use passive FTP. Every modern FTP client and every modern FTP server that I've seen all support passive FTP. Of course, a better approach is to encourage secure communications, like scp or SSL.
Bottom line, the best firewall design is the simplest one possible that gets the job done. Adding neato features like payload monitoring to poke extra holes in the firewall is diametrically opposite this philosophy.

Even worse, payload monitoring and encryption (SSL, IPSec) prevent each other from working. If you're using payload monitoring, encrypted packets will be un-monitorable and things like the "port" command will never be seen, thus preventing the connection from being allowed through the firewall. So in cases where payload monitoring is in place it discourages the deployment of crypto. Likewise, when crypto is deployed it discourages stateful filtering, but that seems to be a relatively good thing because proper encryption should be considered more important than filtering hacks IMHO.

Re:You sissy!!!!

[plover]

Yeah, well, we had it tough.

Wood and metal scraps. Paper. What luxury! We had to scratch the O.S. into stone tablets with just our fingernails, using only zeros and ones. And we never had enough ones. Whenever we ran out of ones, we had to make do with just zeros.

And we'd have given anything to have a gerbil. We had to get a group of half-starved cockroaches running in the same direction on an old 45 RPM turntable, and that's not easy, let me tell you. And for blinking lights, we had to rent fireflies, we couldn't afford to actually buy them outright, you know.

You kids today, you don't know how lucky you have it.

John