2003/12/12
Netfilter
I've been spending a lot of time hacking up netfilter on linux 2.4 lately. Very cool stuff. I use it to firewall all my machines, including home. I've even managed to slow down the sending rate of my ethernet device to keep from filling the queue on my ADSL modem, maintaining good interactive sessions speed.
"The 2.2 and above Linux kernels include a completely redesigned network subsystem. This new networking code brings Linux performance and a feature set with little competition in the general OS arena. In fact, the new routing, filtering, and classifying code is more featureful than the one provided by many dedicated routers and firewalls and traffic shaping products."
If you wanted to just secure your home linux desktop, you could do something as simple as this:
#! /bin/sh
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP
But if you had services to run, you would need to add a few lines above those, like this:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
There are endless things you can do, all documented in the URL's below.
I also highly recommend adding the following to the end of any iptables script you are developing:
# print your table so you can see what may have just gone wrong...
iptables -nL
echo "hit ctrl-c if it worked, otherwise, just wait..."
sleep 10
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
...to keep yourself from getting locked out.
Having trouble figuring out where all the packets are disappearing to? Check out the command below.
For those that wonder how to improve interactive performance on your DSL line or cable modem, try this comand:
# tc qdisc add dev eth1 root tbf rate $RATEkbit latency 50ms burst 1540
Where $RATE is a few percentage below the rate of your DSL or cable upstream bandwidth. To use this, you will probably need to load the tbf kernel module:
# insmod /lib/modules/2.4.x/kernel/net/sched/sch_tbf.o
IPTables Tutorial
The Journey of a Packet
Bandwidth Limiting
Traffic Shaping
And one of the best visual aids I've found is this diagram of the way incoming packets traverse the chains and filters.
"The 2.2 and above Linux kernels include a completely redesigned network subsystem. This new networking code brings Linux performance and a feature set with little competition in the general OS arena. In fact, the new routing, filtering, and classifying code is more featureful than the one provided by many dedicated routers and firewalls and traffic shaping products."
If you wanted to just secure your home linux desktop, you could do something as simple as this:
#! /bin/sh
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP
But if you had services to run, you would need to add a few lines above those, like this:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
There are endless things you can do, all documented in the URL's below.
I also highly recommend adding the following to the end of any iptables script you are developing:
# print your table so you can see what may have just gone wrong...
iptables -nL
echo "hit ctrl-c if it worked, otherwise, just wait..."
sleep 10
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
...to keep yourself from getting locked out.
Having trouble figuring out where all the packets are disappearing to? Check out the command below.
For those that wonder how to improve interactive performance on your DSL line or cable modem, try this comand:
# tc qdisc add dev eth1 root tbf rate $RATEkbit latency 50ms burst 1540
Where $RATE is a few percentage below the rate of your DSL or cable upstream bandwidth. To use this, you will probably need to load the tbf kernel module:
# insmod /lib/modules/2.4.x/kernel/net/sched/sch_tbf.o
IPTables Tutorial
The Journey of a Packet
Bandwidth Limiting
Traffic Shaping
And one of the best visual aids I've found is this diagram of the way incoming packets traverse the chains and filters.
