iptables easy to understand articles/pdf

Hi, I am working on a longish "tutorial" that explains iptables for
pretty much anyone. I have encountered so far only pretty high level
documents that go immediately into the code. My approach is more from a
nothing to everything approach and i have 3 parts already. I am now
writing the last part (IMHO), but I would like to have some input to
see where this guide could be more expanded or made better. This will
be converted into a pdf once the whole is complete for easy offline
reading.
My last document is about different iptables modules and i haven't
published it yet but the other 3 are online already. Any suggestions
please email me, i am looking forward to it.
Part 1:
http://blog.2blocksaway.com/2006/10/23/iptables-explained-un derstanding-and-creating-your-own/
Part 2:
http://blog.2blocksaway.com/2006/11/13/iptables-explained-pa rt-2-or-a-how-for-iptables-to-about-efficient-rule-design/
and Part 3:
http://blog.2blocksaway.com/2006/11/15/iptables-explained-pa rt-3-creating-a-complex-iptables-script/

Thanks already for any constructive criticism.

//Flosse
http://blog.2blocksaway.com

PS: yes i am posting this in a couple of groups, but not at once.

Re: iptables easy to understand articles/pdf

Flosse wrote:
> Hi, I am working on a longish "tutorial" that explains iptables for
> pretty much anyone.

Great - I look forwards to reading it!

I use Shorewall in a Leaf router/firewall, and would like to understand
more of the 'nuts and bolts' of iptables.

Jim Ford

Re: iptables easy to understand articles/pdf

On 20 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in article
<1166660404.987479.101160@n67g2000cwd.googlegroups.com> and in the Usenet
newsgroup comp.os.linux.security in article
<1166660359.132991.96600@n67g2000cwd.googlegroups.com>, Flosse wrote:

>Hi, I am working on a longish "tutorial" that explains iptables for
>pretty much anyone. I have encountered so far only pretty high level
>documents that go immediately into the code.

Where have you looked? A Linux distribution comes with a bunch of HOWTOs
and mini-howtos aimed at answering a lot of the questions a user may have.
Looking at the current documents (here from sunsite):

-rw-rw-r-- 1 gferg ldp 85507 Aug 20 2001 Firewall-HOWTO
-rw-rw-r-- 1 gferg ldp 271987 Nov 27 14:45 HOWTO-INDEX
-rw-rw-r-- 1 gferg ldp 708351 Nov 14 2005 IP-Masquerade-HOWTO
-rw-rw-r-- 1 gferg ldp 17605 Jul 21 2004 Masquerading-Simple-HOWTO
-rw-rw-r-- 1 gferg ldp 155096 Jan 23 2004 Security-HOWTO
-rw-rw-r-- 1 gferg ldp 278012 Jul 23 2002 Security-Quickstart-HOWTO
-rw-rw-r-- 1 gferg ldp 287057 Jul 23 2002 Security-Quickstart-Redhat-HOWTO

but the more authoritative documents are on Rusty Russell's site at
http://www.iptables.org/documentation/HOWTO/ - the so-called "unofficial"
HOWTOs:

[TXT] NAT-HOWTO.txt 17-Oct-2004 14:34 25K
[TXT] netfilter-double-nat-HOWTO.txt 17-Oct-2004 14:34 9.4K
[TXT] netfilter-extensions-HOWTO.txt 17-Oct-2004 14:34 79K
[TXT] netfilter-hacking-HOWTO.txt 17-Oct-2004 14:35 84K
[TXT] netfilter-mirror-HOWTO.txt 17-Oct-2004 14:33 8.1K
[TXT] networking-concepts-HOWTO.txt 17-Oct-2004 14:34 28K
[TXT] packet-filtering-HOWTO.txt 17-Oct-2004 14:34 52K

Additionally, there are some relevant guides at http://tldp.org/guides.html

* Securing & Optimizing Linux: The Ultimate Solution
* The Linux Cookbook: Tips and Techniques for Everyday Use
* Linux Administrator's Security Guide

>My approach is more from a nothing to everything approach and i have 3
>parts already. I am now writing the last part (IMHO), but I would like
>to have some input to see where this guide could be more expanded or
>made better.

Part 1

you can set in these policies are ACCEPT,DENY and DROP. the difference

The difference (missed capitalization in a number of places besides this.
This also applies to the second and third part.)

between DENY and DROP is that DROP will just disregard the package
whereas DENY will send a TCP package back telling the other machine
that the traffic has been denied.

send a TCP packet

Part 2

std_ports="22,80,443''

Wrong closing quote (several places besides this)

rules and the packet will go through all the rules uuntil the end of

speel chequer not used ;-)

Part 3

Now, the explanation. The AP is WEP capable only and WEP is good but
not good enough for us security people).

WEP is not good enough for anyone. WEP64 and WEP128 can easily be cracked.
WPA is better. WPA-PSK with TKIP is very safe. The usual recommendation is
20 characters or more, consisting of non-dictionary words. WPA encryption
based on a PSK (Pre Shared Key) has been cracked, but only with weak (ether
very short or short dictionary words), and not TKIP which changes the
encryption key frequently. (People rant about this subject in the Usenet
newsgroup 'alt.internet.wireless' quite frequently.)

The 3 networks we are using here are :
* 192.168.0.0/24 for our MAIN network on eth
* 192.168.1.0/24 for our WLAN on eth1
* 192.168.2.0/24 for our OpenVPN WLAN network on tun0
* 192.168.3.0/24 for our OpenVPN PUBLIC network on tun1

3??? Oh, you're a Geek, and count from zero. OK ;-)

$IPT -A local -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT

Minor quibble - I'd use 127.0.0.0/8, simply because the system knows
that any address in that range is loopback. Try pinging/connecting to
127.127.127.127 - and your own computer will answer.

========================

Looks good.

>This will be converted into a pdf once the whole is complete for easy
>offline reading.

Think also of leaving it as raw text - the advantage is that you can use
a search feature like 'grep' to find keywords which is impossible with a
pdf.

>PS: yes i am posting this in a couple of groups, but not at once.

Would be better to cross-post (put all the newsgroups in a comma
separated line) and set a Followup-To: as I have done here than to
individually post.. (I also see two copies of the other post to
alt.computer.security and comp.os.linux.networking.)

Old guy

Re: iptables easy to understand articles/pdf

Hi Moe, excellent, thank you very much for the comments (and
corrections). I will change the quibbles as soon as I get home.
about the raw text, i guess I can leave that as well yes. My main point
was that mainly there are so many documents that a person would have to
read to get a grasp of iptables, that a single one would be nicer and
easier, imho.

Again thanks for the comments and anyone who has still something to add
or suggestions please do so anyone who wants something to be added in
the whole, like something they want explained, please let me know.

cheers,

//Flosse
http://blog.2blocksaway.com


Moe Trin wrote:
> On 20 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in article
> <1166660404.987479.101160@n67g2000cwd.googlegroups.com> and in the Usenet
> newsgroup comp.os.linux.security in article
> <1166660359.132991.96600@n67g2000cwd.googlegroups.com>, Flosse wrote:
>
> >Hi, I am working on a longish "tutorial" that explains iptables for
> >pretty much anyone. I have encountered so far only pretty high level
> >documents that go immediately into the code.
>
> Where have you looked? A Linux distribution comes with a bunch of HOWTOs
> and mini-howtos aimed at answering a lot of the questions a user may have.
> Looking at the current documents (here from sunsite):
>
> -rw-rw-r-- 1 gferg ldp 85507 Aug 20 2001 Firewall-HOWTO
> -rw-rw-r-- 1 gferg ldp 271987 Nov 27 14:45 HOWTO-INDEX
> -rw-rw-r-- 1 gferg ldp 708351 Nov 14 2005 IP-Masquerade-HOWTO
> -rw-rw-r-- 1 gferg ldp 17605 Jul 21 2004 Masquerading-Simple-HOWTO
> -rw-rw-r-- 1 gferg ldp 155096 Jan 23 2004 Security-HOWTO
> -rw-rw-r-- 1 gferg ldp 278012 Jul 23 2002 Security-Quickstart-HOWTO
> -rw-rw-r-- 1 gferg ldp 287057 Jul 23 2002 Security-Quickstart-Redhat-HOWTO
>
> but the more authoritative documents are on Rusty Russell's site at
> http://www.iptables.org/documentation/HOWTO/ - the so-called "unofficial"
> HOWTOs:
>
> [TXT] NAT-HOWTO.txt 17-Oct-2004 14:34 25K
> [TXT] netfilter-double-nat-HOWTO.txt 17-Oct-2004 14:34 9.4K
> [TXT] netfilter-extensions-HOWTO.txt 17-Oct-2004 14:34 79K
> [TXT] netfilter-hacking-HOWTO.txt 17-Oct-2004 14:35 84K
> [TXT] netfilter-mirror-HOWTO.txt 17-Oct-2004 14:33 8.1K
> [TXT] networking-concepts-HOWTO.txt 17-Oct-2004 14:34 28K
> [TXT] packet-filtering-HOWTO.txt 17-Oct-2004 14:34 52K
>
> Additionally, there are some relevant guides at http://tldp.org/guides.html
>
> * Securing & Optimizing Linux: The Ultimate Solution
> * The Linux Cookbook: Tips and Techniques for Everyday Use
> * Linux Administrator's Security Guide
>
> >My approach is more from a nothing to everything approach and i have 3
> >parts already. I am now writing the last part (IMHO), but I would like
> >to have some input to see where this guide could be more expanded or
> >made better.
>
> Part 1
>
> you can set in these policies are ACCEPT,DENY and DROP. the difference
>
> The difference (missed capitalization in a number of places besides this.
> This also applies to the second and third part.)
>
> between DENY and DROP is that DROP will just disregard the package
> whereas DENY will send a TCP package back telling the other machine
> that the traffic has been denied.
>
> send a TCP packet
>
> Part 2
>
> std_ports="22,80,443''
>
> Wrong closing quote (several places besides this)
>
> rules and the packet will go through all the rules uuntil the end of
>
> speel chequer not used ;-)
>
> Part 3
>
> Now, the explanation. The AP is WEP capable only and WEP is good but
> not good enough for us security people).
>
> WEP is not good enough for anyone. WEP64 and WEP128 can easily be cracked.
> WPA is better. WPA-PSK with TKIP is very safe. The usual recommendation is
> 20 characters or more, consisting of non-dictionary words. WPA encryption
> based on a PSK (Pre Shared Key) has been cracked, but only with weak (ether
> very short or short dictionary words), and not TKIP which changes the
> encryption key frequently. (People rant about this subject in the Usenet
> newsgroup 'alt.internet.wireless' quite frequently.)
>
> The 3 networks we are using here are :
> * 192.168.0.0/24 for our MAIN network on eth
> * 192.168.1.0/24 for our WLAN on eth1
> * 192.168.2.0/24 for our OpenVPN WLAN network on tun0
> * 192.168.3.0/24 for our OpenVPN PUBLIC network on tun1
>
> 3??? Oh, you're a Geek, and count from zero. OK ;-)
>
> $IPT -A local -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
>
> Minor quibble - I'd use 127.0.0.0/8, simply because the system knows
> that any address in that range is loopback. Try pinging/connecting to
> 127.127.127.127 - and your own computer will answer.
>
> ========================
>
> Looks good.
>
> >This will be converted into a pdf once the whole is complete for easy
> >offline reading.
>
> Think also of leaving it as raw text - the advantage is that you can use
> a search feature like 'grep' to find keywords which is impossible with a
> pdf.
>
> >PS: yes i am posting this in a couple of groups, but not at once.
>
> Would be better to cross-post (put all the newsgroups in a comma
> separated line) and set a Followup-To: as I have done here than to
> individually post.. (I also see two copies of the other post to
> alt.computer.security and comp.os.linux.networking.)
>
> Old guy

Re: iptables easy to understand articles/pdf

On 21 Dec 2006, in the Usenet newsgroup comp.os.linux.security, in article
<1166743530.156425.309770@i12g2000cwa.googlegroups.com>, Flosse wrote:

>Hi Moe, excellent, thank you very much for the comments (and
>corrections). I will change the quibbles as soon as I get home.

Please do post an announcement when the rest of the document is available.

>about the raw text, i guess I can leave that as well yes. My main point
>was that mainly there are so many documents that a person would have to
>read to get a grasp of iptables, that a single one would be nicer and
>easier, imho.

Oh, I agree with that. The reason I was suggesting having the text
version available is the ease in searching for things that the document
may contain. I'm sure you are used to using 'apropos' and 'whatis'
to search for man pages (as one example), but I've also found it very
useful to use grep (or zgrep) to search for keywords within the man
pages.

[compton ~]$ apropos routing | wc -l
2
[compton ~]$ find /usr/share/man/ -mindepth 2 -type f | wc -l
3018
[compton ~]$ zgrep -l routing /usr/share/man/man*/* | wc -l
17
[compton ~]$

That's just one example where being able to access the _words_ in a
document may be useful. Going along with your point, there are 448
different HOWTOs and mini-howtos (totalling 3.8 million words), and
29 of them mention 'iptables'. But what use is that if you can't
_find_ which one?

Old guy