03/06/20031

Firewalls and Linux

�����������

���� � � � ����

������������

������������� ���

���������� ������ ���

03/06/20032

What is a Firewall?

� A set of programs residing on a "gateway server" that protect the resources of an internal network

� A network device or an host that connect 2 or more networks

� A device able to monitor each packet to determine whether to forward it toward its destination

� A device able to evaluates packets with the objective to Control, Modify and Filter network traffic

03/06/20033

Firewall types

With Netfilter is possible to use a “Linux Box” as Firewall based on IPTABLES.

Hardware: Cisco Pix

SoftwareTiny Personal Firewall

Norton Personal Firewall...

03/06/20034

Example: What you need to build a Linux Firewall?

� 1 PC with (Pentium II 300, 64MB RAM, 1GB HD) enought network interfaces to manage your topology

� A Linux distribution with Iptables (like RedHat 7.3, 8.0 or 9.0, Mandrake 9.1)

or� Smoothwall distribution (http://www.smoothwall.org),

requires Pentium 100 with 16Mb RAM and 512Mb hard disk

03/06/20035

Case Study: I want to share my Dialup/ADSL connection to my lab. (I)

03/06/20036

Case Study: I want to share my Dialup/ADSL connection to my lab. (II)

03/06/20037

Simple network configuration with MASQUERADING (I)

� Public IP Addresses are not infinites. Masquerading allows to use only one IP public address (also if dynamically assigned) to connect a lot of hosts using private addresses

� Is very usefull with all kind of internet connections� The gateway “masquerade” the internal private

addresses using it’s own ip address as source ip address for packets going outside the private network

03/06/20038

Public and Private IP Addresses

� Some IP addresses (like 192.168.0.0/16, 10.0.0.0/8 and subnetworks) are “declared” (by IANA) “private” and cannot be used to send packet to Internet

� Make possible to use the same IP addresses in different local networks. Allow (with masquerading) more that 232-1 hosts to be connected to the internet with IPv4 addresses.

03/06/20039

Simple network configuration with MASQUERADING (II)

� Host1 with IP 192.168.0.10 try to open the Web-page http://217.58.102.76

� Gateway G1 receive from Host1 (source 192.168.0.10) a packet with destination 217.58.102.76 port 80

� G1 change 217.58.102.76 with it’s own public IP (ex: 213.110.140.18) and forward it to Internet using 33120 as sourceport

� G1 receive the reply from 213.110.140.18 to port 33120. G1 knows that this packet, coming from port 33120 has as real destination Host1

� G1 change the destination IP address from 213.11.140.18 to 192.168.0.10 and forward the packet to the Trusted private network

� Host1 is now able to send and receive packets to external servers

03/06/200310

MASQUERADING

� Connection from trusted networks to other hosts on Internet can be established only from Host in our LAN

� An external Host cannot send a packet directly to an Host inside our Trusted network (because they have no public addresses)

� We miss the possibility to have a reachable server (reachable from the all internet) inside our network

03/06/200311

Why we need to publish services?

� We need another network reachable from Internet to publish our services

� Manage a domain with DNS– DNS Requests from other networks must reach internal DNSs (port

53)� Allow remote clients to upload/download from an ftp (or sftp)

server– Setup an ftp server to share files with clients outside your local private

network (port 21)� Publish a Website

– Allow the whole Internet users to visit your Institute or company website (port 80)

� Manage hosts remotely– Activate ssh (port 22) to allow remote administration

03/06/200312

Firewall: Common topology for small networks

� Trusted network(s): Include end-user workstations� DMZ network(s): Include servers giving services to the Internet� Internet connection(s): Internet Service Provider (ISP) connection

03/06/200313

Trusted Network

� Connect end-user hosts

� Every host has a private IP address (like 192.168.0.0/16 and subnets)

� Every host can send packet to internet but cannot receive packets not related to previously established connections

� A lot of Trusted networks can be created under the same firewall

03/06/200314

Demilitarized (DMZ) Network

� Hosts with services (these kind of hosts are usually called servers) for external networks are inside DMZ network

� Servers inside DMZ have private IP addresses (ex: 10.0.0.0/8 and subnetworks)

� Firewall use NAT/PAT to allow external networks to use internal services

03/06/200315

Internet connection

� Allow one or more LANs to connect to Internet� A Linux box used as firewall is also the

gateway interconnecting:� Trusted networks with Internet� DMZ networks with Internet� Trusted networks with DMZ networks if needed

03/06/200316

Netfilter and Iptables

With kernel 2.4 you can run Netfilter. This allow us to setup, maintain and analyze packet filtering rules. Is an evolution of previous tools, ipchains and ipfwadm. Netfilter supports:

– Standard packet filtering– Statfull inspection– Maquerading– Complete address translation (NAT/PAT)– Load balancing– Traffic shaping– Allow user-level module creation

03/06/200317

Standard packet filtering

� With previous solution (ipchains and ipfwadm) packet filtering was stateless. Each packet was forwarded or dropped depending only on source and destionation addresses and source and destination ports.

� This approach does not allow some protocol to traverse the firewall without all port >1024 open.

03/06/200318

An example: Ports >1024! (I)

Objective: allow a network application (based on sockets), to be accessible by hosts outside your local LAN:

– The software is made by a main process that receive connection requests on port 999.

– Then the main process create a new process for each new connection. New processes waits for client data on ports from 40001 to 41000.

– The main process send a reply to the client (in the payload of an UDP packet) with port to use to connect to the dedicate process

– The client receive the packet, read the port (ex:40001) and send the next packet to port 40001 of the same server

– A statless firewall REJECT the packet cause port>1024 are closed� With a stateless firewall, if you want to allow your server to work properly

with hosts outside your LAN you must open all port>1024� A statfull Firewall allow to leave ports >1024 closed

03/06/200319

Mastering IPTABLES mini Howto

� Learn basics about TCP/IP� Undestand connection tacking system� Learn iptables chains and tables scheme� Learn iptables syntax� Use a simple network and test it many times� Enjoy iptables

03/06/200320

Good thinks about IPTABLES

� Connection tracking– A mechanism that monitor packet, storing information about

connections. This allow to undestand if a packet is relative to a known connection

� Additional modules– Is possible to load a module and use it’s feature to add a rule

to a table– New modules can be developed to introduce new

functionalities� Optional userland modules

– Everyone can develop a module to be not in kernel mode to match specific needs

03/06/200321

Different set of packets

To undestand how iptables works is important to undestand the different types of packets the firewall will manage:

� Forwarded: coming from other hosts, destinated to other hosts

� Input: destinated for localhost� Output: generated by localhost

How IPTABLES works on them?

03/06/200322

Chains and Tables (I)

� A packet passes through Tables and Chains before to be:– forwarded, sent to destination– passed to a local process– dropped, rejected– ...

� Depending on packet type (forwarded, input, output) it traverse different chains.

03/06/200323

Chains and Tables (II)

� IPTABLES uses 5 default chains:

– PREROUTING: packet coming from other hosts– FORWARD: packet to be forwarded– INPUT: packet destinated to localhost– OUTPUT: packet generated by localhost– POSTROUTING: packet going out to other hosts

03/06/200324

Chains and Tables (III)

� Every chain “contains” one or more tables. � New custom chains can be created� Every packet goes into some chains, depending on it’s

type (forwarded, input, output)� To traverse a chain, a packet traverse all default tables

inside the specified chain� Tables are:

– Mangle– Filter– NAT

03/06/200325

The big picture: traversing of tables and chains

03/06/200326

Forwarded packets path:

1. On the wire2. Firewall interface3. PREROUTING chain

� Mangle table� NAT table

4. Routing decision5. FORWARD chain

� Filter table6. POSTROUTING chain

� NAT chain7. Outgoing interface � on the wire again

03/06/200327

Input packets path:

1. On the wire2. Firewall interface3. PREROUTING chain

� Mangle table� NAT table

4. Routing decision5. INPUT chain

� FILTER table6. Local application/process

03/06/200328

Output packets path:

1. Local application/process2. OUTPUT chain

� Mangle table� NAT table� FILTER table

3. Routing decision4. POSTROUTING chain

� NAT table

5. Correct local interface � on the wire

03/06/200329

MANGLE table

� Allow to change parameters

– TOS: Type Of Service, allow to implement routing policies using iptables

– TTL: Time To Live. Send packet to the Internet Service Provider with the same TTL (making more difficult for some ISP to check if you are using the connecti

– MARK: used by iproute2 to make different routing decision (bandwidth limiting and class based queuing)

03/06/200330

Network Address Translation (NAT) table (I)

� Destination NAT (DNAT): Allow to change destination address. Usefull to receive packets from Internet redirecting them to Internal LAN services (like services running on servers inside DMZ network)

� Source NAT (SNAT): Allow to hide internal DMZ network. The Firewall change the source addess of outgoing packets using it’s own internet IP address (a public one)

� NOTE: This allow DMZ and Trusted networks to use private Internet addresses like 10.0.0.0/8 and 192.168.0.0/16.

03/06/200331

Network Address Translation (NAT) table (II)

� MASQUERADING: Firewall hide all hosts inside Trusted network, using it’s own internet address (a public one). This allow you to connect many hosts using only one Public Internet address. In the opposite direction you hide hosts inside Trusted network. With Masquerading is not possible for hosts from Internet to start a new (not RELATED) connection to the Trusted network.

03/06/200332

Statefull vs. Stateless Firewalls

� Statless firewalls can make filter decision based only on:– source/destination addresses and ports

� Statfull firewall associate a packet to a state and can make decision base on:– source/destination addesses and ports– state of the packet

03/06/200333

IPTABLES with connection tracking

Use your Linux box become a statfull Firewall

“ALLOW TO WRITE TIGHTER RULES”

“YOU DON’T NEED TO OPEN ALL PORTS > 1024”

Connection tracking (I)

03/06/200334

Connection tracking (II)

� PREROUTING chain make decision about packet states, possible states are:

– NEW: the packet is new in the connection– ESTABLISHED: the packet is part of an established

connection– RELATED: the packet is NEW in the connection but the

connection is related to an already ESTABLISHED connection� ex: ICMP message are related to the relative connection� ex: FTP-DATA stream is related to the FTP-CONTROL one� ex: More complicated TCP/UDP protocols needs additional

modules to be undestood as related– INVALID: Packet that cannot be identified and does not have a

valid state. Is good practice to always DROP INVALID packets

03/06/200335

TCP connections (I)

The client send a SYN packet, the firewall catalog it as relative to a new connection. The server sends the SYN/ACK reply, and the connection become ESTABLISHED.

03/06/200336

UDP connections

UDP is a connectionless protocol, but the kernel can maintain information about connection status. This allow to see the UDP connection like for TCP. The Server reply the first packet, so the connection is considered ESTABLISHED

03/06/200337

ICMP connections (I)

When the Client reply to the Echo Request the packet is considered ESTABLISHED. After that the connection tracking system delete info about this connection, because we expect no more legal traffic relative to this ICMP request.

03/06/200338

ICMP connections (II)

An ICMP can be relative to another UDP or TCP connection. Connection tracking allow to see the ICMP Net Unreachable as related to another connection.

03/06/200339

Other connections, active FTP (I)

� FTP has a ftp-control channel (port 21) and a ftp-data channel (port 20).

� For active FTP the client connect to the server on ftp-control port, then in the payload sends information about IP and port to connect to

� A firewall should allow the server to connect to this client using information about IP and port

� Connection tracking use a special module that scans through the data in the control connection allowing the server connection (SYN) to the client to be RELATED

03/06/200340

Other connections, active FTP (II)

03/06/200341

Other connections, passive FTP (I)

� In passive FTP the client asks for data� The server sends (inside ftp-control channel) information about IP

and port to connect to� The client open a connection to this IP and port from it’s data port

(20) and then retrieve the requested data� Again the connection tracking module allow to see the new

connection SYN as RELATED to the ftp-control channel

03/06/200342

Other connections, passive FTP (II)

03/06/200343

New Tables and Jumps

� A new custom chain can be created:#iptables –N custom_chain

� With a “Jump” a packet can be sent to a chain:#iptables –A INPUT –p UDP –j custom_chainAll UDP packets will pass throught custom_chain

� Allow to parse only specific packets with a specific set of rules

� After traversing a chain the packet comes back to the originating chain, starting from the rule that follows the Jump

03/06/200344

Command line and Shorewall (I)

03/06/200345

Command line and Shorewall (II)

APPEND#iptables –A FORWARD –p ALL –d 10.0.0.1 –j ACCEPT

DELETE#iptables -D INPUT --dport 80 -j DROP, iptables -D INPUT 1

REPLACE#iptables -R INPUT 1 -s 192.168.0.1 -j DROP

POLICY#iptables -P INPUT DROP

CREATE CHAIN#iptables -N allowed

FLUSH#iptables -F INPUT

LIST#iptables -L INPUT

03/06/200346

TARGETS

� A rule checks a packet by protocol, source/destination addresses, source/destination ports, state and many other parameters. If it matches, the TARGET specify an action to take

� TARGETS are:– ACCEPT, DROP, REJECT– DNAT, SNAT, MASQUERADE– LOG, ULOG, MARK– MIRROR, QUEUE, REDIRECT, RETURN– TOS, TTL

03/06/200347

ACCEPT

“As soon as the match specification for a packet has been fully satisfied, the rule is accepted and will not continue traversing the current chain or any other ones in the same table. Note however, that a packet that was accepted in one chain might still travel through chains within other tables, and could still be dropped there. There is nothing special about this target whatsoever, and it does not require, nor have the possibility of, adding options to the target. To use this target, we simply specify -j ACCEPT” (iptables tutorial 1.1.18).

03/06/200348

Case Study: PING (I)

[user@192.168.0.10]#tcpdump –n12:07:00.061966 192.168.1.1 > 192.168.0.10: icmp: echo request

[root@firewall]#iptables –F[root@firewall]#iptables –P INPUT DROP[root@firewall]#iptables –P OUTPUT DROP[root@firewall]#iptables –P FORWARD DROP[root@firewall]#iptables –A FORWARD –p icmp \

--icmp-type echo-request –d 192.168.0.10 –j ACCEPT

[user@192.168.1.1]#ping 192.168.0.10PING 192.168.0.10 (192.168.0.10) from 192.168.1.1: 56(84) bytes of data.64 bytes from 192.168.1.1: icmp_seq=1 ttl=254 time=0.360 ms

64 bytes from 192.168.1.1: icmp_seq=2 ttl=254 time=0.319ms

12:07:00.062148 192.168.0.10>192.168.1.1: icmp: echo reply

03/06/200349

DROP

“The DROP target does just what it says, it drops packets dead and will not carry out any further processing. A packet that matches a rule perfectly and is then Dropped will be blocked. Note that this action might in certain cases have an unwanted effect, since it could leave dead sockets around on either host. A better solution in cases where this is likely would be to use the REJECT target, especially when you want to block port scanners from getting toomuch information, such on as filtered ports and so on. Also notethat if a packet has the DROP action taken on it in a subchain, the packet will not be processed in any of the main chains either in the present or in any other table. The packet is in other words totally dead. As we've seen previously, the target will not send any kind of information in either direction, nor to intermediaries such as routers.” (iptables tutorial 1.1.18).

03/06/200350

Case study: PING (II)

[fw]#iptables –P INPUT ACCEPT[fw]#iptables –P OUTPUT ACCEPT[fw]#iptables –P FORWARD ACCEPT[fw]#iptables –F[fw]#iptables –A FORWARD –p icmp --icmp-type echo-request –d 192.168.0.10 –j DROP

[user@192.168.1.1]#ping 192.168.0.10PING 192.168.0.10 (192.168.0.10) from 192.168.1.1: 56(84) bytes of data.CTRL^C

[user@192.168.0.10]#tcpdump –nCTRL^C

03/06/200351

REJECT

“The REJECT target works basically the same as the DROP target, but it also sends back an error message to the host sending the packet that was blocked. The REJECT target is as of today only valid in the INPUT, FORWARD and OUTPUT chains or their sub chains. After all, these would be the only chains in which it would make any sense to put this target. Note that all chains that use the REJECT target may only be called by the INPUT, FORWARD, and OUTPUT chains, else they won't work. There is currently onlyone option which controls the nature of how this target works, though this may in turn take a huge set of variables. Most of them are fairly easy to understand, if you have a basic knowledge of TCP/IP.” (iptables tutorial 1.1.18).

03/06/200352

Case study: REJECT

[fw]#iptables –P INPUT ACCEPT[fw]#iptables –P OUTPUT ACCEPT[fw]#iptables –P FORWARD ACCEPT[fw]#iptables –F[fw]#iptables –A FORWARD –p icmp \

--icmp-type echo-request –d 192.168.0.10 –j REJECT

[user@192.168.1.1]#ping 192.168.0.10PING 192.168.0.10 (192.168.0.10) from 192.168.1.1: 56(84) bytes of data.From 192.168.0.254 icmp_seq=1 Destination port UreachableFrom 192.168.0.254 icmp_seq=1 Destination port Ureachable

[user@192.168.0.10]#tcpdump –nCTRL^C

03/06/200353

DNAT

“The DNAT target is used to do Destination Network Address Translation, which means that it is used to rewrite the Destination IP address of a packet. If a packet is matched, and this is the target of the rule, the packet, and all subsequent packets in the same stream will be translated, and then routed on to the correct device, host or network. This target can be extremely useful, for example, when you have an host running your web server inside a LAN, but no real IP to give it that will work on the Internet. You could then tell the firewall to forward all packets going to its own HTTP port, on to the real web server within the LAN. We may alsospecify a whole range of destination IP addresses, and the DNATmechanism will choose the destination IP address at random for each stream. Hence, we will be able to deal with a kind of load balancing by doing this.” (iptables tutorial 1.1.18).

03/06/200354

Case Study: DNAT (I)

213.178.208.130

03/06/200355

Case Study: DNAT (II)

“DNAT to HTTP”[root@firewall]# iptables –t nat –A PREROUTING –p TCP –i eth1 -d 217.58.102.74 \

- -dport 80 -j DNAT --to-destination 10.0.0.10“DNAT to DNS”

[root@firewall]# iptables –t nat –A PREROUTING –p TCP –i eth1 -d 217.58.102.75 \- -dport 53 -j DNAT --to-destination 10.0.0.11

[root@firewall]# iptables –t nat –A PREROUTING –p UDP –i eth1 -d 217.58.102.75 \- -dport 80 -j DNAT --to-destination 10.0.0.11

“DNAT to SMTP”[root@firewall]# iptables –t nat –A PREROUTING –p TCP –i eth1 -d 217.58.102.76 \

- -dport 25 -j DNAT --to-destination 10.0.0.12“DNAT to POP3”

[root@firewall]# iptables –t nat –A PREROUTING –p TCP –i eth1 -d 217.58.102.75 \- -dport 113 -j DNAT --to-destination 10.0.0.12

03/06/200356

Case Study: DNAT (III)

[213.178.208.130]#telnet 217.58.102.74 80Trying 217.58.102.74...Connected to host74-102.pool21758.interbusiness.it (217.58.102.74).Escape character is '̂]'.

[10.0.0.10]#tcpdump -n host 213.178.208.130tcpdump: listening on eth022:06:13.467533 213.178.208.130.37795 > 10.0.0.10.http: S 1475560217:1475560217(0) win 5840 <mss

1460,sackOK,timestamp 87998393 0,nop,wscale 0> (DF) [tos 0x10]22:06:13.467587 10.0.0.10.http > 213.178.208.130.37795: S 1855920719:1855920719(0) ack 1475560218 win 5792

<mss 1460,sackOK,timestamp 126118625 87998393,nop,wscale 0> (DF)22:06:13.551483 213.178.208.130.37795 > 10.0.0.10.http: . ack 1 win 5840 <nop,nop,timestamp 87998402

126118625> (DF) [tos 0x10]

[fw]# tcpdump -i eth1 dst host 10.0.0.10tcpdump: listening on eth121:59:05.665687 213.178.208.130.37795 > 10.0.0.10.http: S 1475560217:1475560217(0) win 5840 <mss

1460,sackOK,timestamp 87998393 0,nop,wscale 0> (DF) [tos 0x10]21:59:05.749653 213.178.208.130.37795 > 10.0.0.10.http: . ack 1855920720 win 5840 <nop,nop,timestamp

87998402 126118625> (DF) [tos 0x10]

03/06/200357

SNAT

� “The SNAT target is used to do Source Network Address Translation, which means that this target will rewrite the Source IP address in the IP header of the packet. This is what we want, for example, when several hosts have to share an Internet connection. We can then turn on ip forwarding in the kernel, and write an SNAT rule which will translate all packets going out from our local network to the source IP of our own Internet connection. Without doing this, the outside world would not know where to send reply packets, since our local networks mostly use the IANA specified IP addresses which are allocated for LAN networks. If we forwarded these packets as is, no one on the Internet would know that they where actually from us. The SNAT target does all the translation needed to do this kind of work, letting all packets leaving our LAN look as if they came from a single host, which would be our firewall.”

� “The SNAT target is only valid within the nat table, within the POSTROUTINGchain. This is in other words the only chain in which you may use SNAT. Only the first packet in a connection is mangled by SNAT, and after that all future packets using the same connection will also be SNATted.” (iptables tutorial 1.1.18).

03/06/200358

MASQUERADE

� “The MASQUERADE target is used basically the same as the SNAT target, but it does not require any --to-source option. The reason for this is that theMASQUERADE target was made to work with, for example, dial-up connections, or DHCP connections, which gets dynamic IP addresses when connecting to the network in question.”

� “This means that you should only use the MASQUERADE target with dynamically assigned IP connections, which we don't know the actualaddress of at all times. If you have a static IP connection, you should instead use the SNAT target”.

� “When you masquerade a connection, it means that we set the IP address used on a specific network interface instead of the --to-source option, and the IP address”

� “Is automatically grabbed from the information about the specific interface. The MASQUERADE target also has the effect that connections are forgotten when an Interface goes down, which is extremely good if we, for example, kill a specific interface” (iptables tutorial 1.1.18).

03/06/200359

Case Study: SNAT or MASQUERADING (I)

[fw]#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j SNAT \--to-source 217.58.102.77 ����SNAT

[fw]#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ���� MASQUERADING

[root@140.105.16.57]# tcpdump -n host 217.58.102.77tcpdump: listening on eth009:40:44.405824 217.58.102.77.32947 > 140.105.16.57.http: S 3222243845:3222243845(0) win 5840

<mss 1460,sackOK,timestamp 1968354 0,nop,wscale 0> (DF) [tos 0x10]

[root@192.168.0.10]# telnet 140.105.16.57 80Trying 140.105.16.57...Connected to 140.105.16.57.Escape character is '̂]'.

03/06/200360

LOG, ULOG

� “The LOG target is specially designed for logging detailed information about packets. These could for example be considered as illegal. Or, logging can be used purely for bug hunting and error finding.”

� “The LOG target will return specific information on packets, such as most of the IP headers and other information considered interesting. It does this via the kernel logging facility, normally syslogd. This information may then be read directly with dmesg, or from the syslogd logs, or with other programs or applications.”

� “This is an excellent target to use in debug your rule-sets, so that you can see what packets go where and what rules are applied on what packets. Note as well that it could be a really great idea to use the LOG target instead of the DROP target while you are testing a rule you are not 100% sure about on a production firewall, since a syntax error in the rule-sets could otherwise cause severe connectivity problems for your users.”

� “Also note that the ULOG target may be interesting if you are using really extensive logging, since the ULOG target has support direct logging toMySQL databases and suchlike” (iptables tutorial 1.1.18).

03/06/200361

MARK

� “The MARK target is used to set Netfilter mark values that are associated with specific packets. This target is only valid in the mangle table, and will not work outside there.”

� “The MARK values may be used in conjunction with the advanced routing capabilities in Linux to send different packets through different routes and to tell them to use different queue disciplines (qdisc), etc.”

� “Note that the mark value is not set within the actual package, but is a value that is associated within the kernel with the packet. In other words, you can not set a MARK for a packet and then expect the MARK still to be there on another host. If this is what you want, you will be better off with the TOS target which will mangle the TOS value in the IP header.”(iptables tutorial 1.1.18).

03/06/200362

QUEUE, REDIRECT, RETURN

� “The QUEUE target is used to queue packets to User-land programs and applications. It is used in conjunction with programs or utilities that are extraneous to iptables and may be used, for example, with network accounting, or for specific and advanced applications which proxy or filter packets.”

� “The REDIRECT target is used to redirect packets and streams to the machine itself. This means that we could for example REDIRECT all packets destined for the HTTP ports to an HTTP proxy like squid, on our own host. Locally generated packets are mapped to the 127.0.0.1 address. In other words, this rewrites the destination address to our own host for packets that are forwarded, or something alike. The REDIRECT target is extremely good to use when we want, for example, transparent proxying, where the LAN hosts do not know about the proxy at all.”

� “The RETURN target will cause the current packet to stop traveling through the chain where it hit the rule. If it is the subchain of another chain, the packet will continue to travel through the superior chains as if nothing had happened. If the chain is the main chain, for example the INPUT chain, the packet will have the default policy taken on it. The default policy is normally set to ACCEPT, DROP or similar.” (iptables tutorial 1.1.18).

03/06/200363

TOS, TTL

� “The TOS target is used to set the Type of Service field within the IP header. The TOS field consists of 8 bits which are used to help in routing packets. This is one of the fields that can be used directly within iproute2 and its subsystem for routing policies. Worth noting, is that that if you handle several separate firewalls and routers, this is the only way to propagate routing information within the actual packet between these routers and firewalls. As previously noted, the MARK target - which sets a MARK associated with a specific packet - is only available within the kernel, and can not be propagated with the packet. If you feel a need to propagate routing information for a specific packet or stream, you should therefore set the TOS field, which was developed for this.”

� The TTL target is used to modify the Time To Live field in the IP header. One useful application of this is to change all Time To Live values to the same value on all outgoing packets. One reason for doing this is if you have a bully ISP which don't allow you to have more than one machine connected to the same Internet connection, and who actively pursue this. Setting all TTL values to the same value, will effectively make it a little bit harder for them to notify that you are doing this. We may then reset the TTL value for all outgoing packets to a standardized value, such as 64 as specified in Linux kernel. (iptables tutorial 1.1.18).

03/06/200364

Bibliography

� Iptables tutorial 1.1.18, Oskar Andreasson � “Firewall con Linux” – poletti@niscent.com