iptables easy to understand articles/pdf - Firewalls

This is a discussion on iptables easy to understand articles/pdf - Firewalls ; Hi, I am working on a longish "tutorial" that explains iptables for pretty much anyone. I have encountered so far only pretty high level documents that go immediately into the code. My approach is more from a nothing to everything ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: iptables easy to understand articles/pdf

  1. iptables easy to understand articles/pdf

    Hi, I am working on a longish "tutorial" that explains iptables for
    pretty much anyone. I have encountered so far only pretty high level
    documents that go immediately into the code. My approach is more from a
    nothing to everything approach and i have 3 parts already. I am now
    writing the last part (IMHO), but I would like to have some input to
    see where this guide could be more expanded or made better. This will
    be converted into a pdf once the whole is complete for easy offline
    reading.
    My last document is about different iptables modules and i haven't
    published it yet but the other 3 are online already. Any suggestions
    please email me, i am looking forward to it.
    Part 1:
    http://blog.2blocksaway.com/2006/10/...ting-your-own/
    Part 2:
    http://blog.2blocksaway.com/2006/11/...t-rule-design/
    and Part 3:
    http://blog.2blocksaway.com/2006/11/...tables-script/

    Thanks already for any constructive criticism.

    //Flosse
    http://blog.2blocksaway.com

    PS: yes i am posting this in a couple of groups, but not at once.


  2. Re: iptables easy to understand articles/pdf

    Flosse wrote:
    > Hi, I am working on a longish "tutorial" that explains iptables for
    > pretty much anyone.


    Great - I look forwards to reading it!

    I use Shorewall in a Leaf router/firewall, and would like to understand
    more of the 'nuts and bolts' of iptables.

    Jim Ford

  3. Re: iptables easy to understand articles/pdf

    On 20 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in article
    <1166660404.987479.101160@n67g2000cwd.googlegroups. com> and in the Usenet
    newsgroup comp.os.linux.security in article
    <1166660359.132991.96600@n67g2000cwd.googlegroups.c om>, Flosse wrote:

    >Hi, I am working on a longish "tutorial" that explains iptables for
    >pretty much anyone. I have encountered so far only pretty high level
    >documents that go immediately into the code.


    Where have you looked? A Linux distribution comes with a bunch of HOWTOs
    and mini-howtos aimed at answering a lot of the questions a user may have.
    Looking at the current documents (here from sunsite):

    -rw-rw-r-- 1 gferg ldp 85507 Aug 20 2001 Firewall-HOWTO
    -rw-rw-r-- 1 gferg ldp 271987 Nov 27 14:45 HOWTO-INDEX
    -rw-rw-r-- 1 gferg ldp 708351 Nov 14 2005 IP-Masquerade-HOWTO
    -rw-rw-r-- 1 gferg ldp 17605 Jul 21 2004 Masquerading-Simple-HOWTO
    -rw-rw-r-- 1 gferg ldp 155096 Jan 23 2004 Security-HOWTO
    -rw-rw-r-- 1 gferg ldp 278012 Jul 23 2002 Security-Quickstart-HOWTO
    -rw-rw-r-- 1 gferg ldp 287057 Jul 23 2002 Security-Quickstart-Redhat-HOWTO

    but the more authoritative documents are on Rusty Russell's site at
    http://www.iptables.org/documentation/HOWTO/ - the so-called "unofficial"
    HOWTOs:

    [TXT] NAT-HOWTO.txt 17-Oct-2004 14:34 25K
    [TXT] netfilter-double-nat-HOWTO.txt 17-Oct-2004 14:34 9.4K
    [TXT] netfilter-extensions-HOWTO.txt 17-Oct-2004 14:34 79K
    [TXT] netfilter-hacking-HOWTO.txt 17-Oct-2004 14:35 84K
    [TXT] netfilter-mirror-HOWTO.txt 17-Oct-2004 14:33 8.1K
    [TXT] networking-concepts-HOWTO.txt 17-Oct-2004 14:34 28K
    [TXT] packet-filtering-HOWTO.txt 17-Oct-2004 14:34 52K

    Additionally, there are some relevant guides at http://tldp.org/guides.html

    * Securing & Optimizing Linux: The Ultimate Solution
    * The Linux Cookbook: Tips and Techniques for Everyday Use
    * Linux Administrator's Security Guide

    >My approach is more from a nothing to everything approach and i have 3
    >parts already. I am now writing the last part (IMHO), but I would like
    >to have some input to see where this guide could be more expanded or
    >made better.


    Part 1

    you can set in these policies are ACCEPT,DENY and DROP. the difference

    The difference (missed capitalization in a number of places besides this.
    This also applies to the second and third part.)

    between DENY and DROP is that DROP will just disregard the package
    whereas DENY will send a TCP package back telling the other machine
    that the traffic has been denied.

    send a TCP packet

    Part 2

    std_ports="22,80,443''

    Wrong closing quote (several places besides this)

    rules and the packet will go through all the rules uuntil the end of

    speel chequer not used ;-)

    Part 3

    Now, the explanation. The AP is WEP capable only and WEP is good but
    not good enough for us security people).

    WEP is not good enough for anyone. WEP64 and WEP128 can easily be cracked.
    WPA is better. WPA-PSK with TKIP is very safe. The usual recommendation is
    20 characters or more, consisting of non-dictionary words. WPA encryption
    based on a PSK (Pre Shared Key) has been cracked, but only with weak (ether
    very short or short dictionary words), and not TKIP which changes the
    encryption key frequently. (People rant about this subject in the Usenet
    newsgroup 'alt.internet.wireless' quite frequently.)

    The 3 networks we are using here are :
    * 192.168.0.0/24 for our MAIN network on eth
    * 192.168.1.0/24 for our WLAN on eth1
    * 192.168.2.0/24 for our OpenVPN WLAN network on tun0
    * 192.168.3.0/24 for our OpenVPN PUBLIC network on tun1

    3??? Oh, you're a Geek, and count from zero. OK ;-)

    $IPT -A local -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT

    Minor quibble - I'd use 127.0.0.0/8, simply because the system knows
    that any address in that range is loopback. Try pinging/connecting to
    127.127.127.127 - and your own computer will answer.

    ========================

    Looks good.

    >This will be converted into a pdf once the whole is complete for easy
    >offline reading.


    Think also of leaving it as raw text - the advantage is that you can use
    a search feature like 'grep' to find keywords which is impossible with a
    pdf.

    >PS: yes i am posting this in a couple of groups, but not at once.


    Would be better to cross-post (put all the newsgroups in a comma
    separated line) and set a Followup-To: as I have done here than to
    individually post.. (I also see two copies of the other post to
    alt.computer.security and comp.os.linux.networking.)

    Old guy

  4. Re: iptables easy to understand articles/pdf

    Hi Moe, excellent, thank you very much for the comments (and
    corrections). I will change the quibbles as soon as I get home.
    about the raw text, i guess I can leave that as well yes. My main point
    was that mainly there are so many documents that a person would have to
    read to get a grasp of iptables, that a single one would be nicer and
    easier, imho.

    Again thanks for the comments and anyone who has still something to add
    or suggestions please do so anyone who wants something to be added in
    the whole, like something they want explained, please let me know.

    cheers,

    //Flosse
    http://blog.2blocksaway.com


    Moe Trin wrote:
    > On 20 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in article
    > <1166660404.987479.101160@n67g2000cwd.googlegroups. com> and in the Usenet
    > newsgroup comp.os.linux.security in article
    > <1166660359.132991.96600@n67g2000cwd.googlegroups.c om>, Flosse wrote:
    >
    > >Hi, I am working on a longish "tutorial" that explains iptables for
    > >pretty much anyone. I have encountered so far only pretty high level
    > >documents that go immediately into the code.

    >
    > Where have you looked? A Linux distribution comes with a bunch of HOWTOs
    > and mini-howtos aimed at answering a lot of the questions a user may have.
    > Looking at the current documents (here from sunsite):
    >
    > -rw-rw-r-- 1 gferg ldp 85507 Aug 20 2001 Firewall-HOWTO
    > -rw-rw-r-- 1 gferg ldp 271987 Nov 27 14:45 HOWTO-INDEX
    > -rw-rw-r-- 1 gferg ldp 708351 Nov 14 2005 IP-Masquerade-HOWTO
    > -rw-rw-r-- 1 gferg ldp 17605 Jul 21 2004 Masquerading-Simple-HOWTO
    > -rw-rw-r-- 1 gferg ldp 155096 Jan 23 2004 Security-HOWTO
    > -rw-rw-r-- 1 gferg ldp 278012 Jul 23 2002 Security-Quickstart-HOWTO
    > -rw-rw-r-- 1 gferg ldp 287057 Jul 23 2002 Security-Quickstart-Redhat-HOWTO
    >
    > but the more authoritative documents are on Rusty Russell's site at
    > http://www.iptables.org/documentation/HOWTO/ - the so-called "unofficial"
    > HOWTOs:
    >
    > [TXT] NAT-HOWTO.txt 17-Oct-2004 14:34 25K
    > [TXT] netfilter-double-nat-HOWTO.txt 17-Oct-2004 14:34 9.4K
    > [TXT] netfilter-extensions-HOWTO.txt 17-Oct-2004 14:34 79K
    > [TXT] netfilter-hacking-HOWTO.txt 17-Oct-2004 14:35 84K
    > [TXT] netfilter-mirror-HOWTO.txt 17-Oct-2004 14:33 8.1K
    > [TXT] networking-concepts-HOWTO.txt 17-Oct-2004 14:34 28K
    > [TXT] packet-filtering-HOWTO.txt 17-Oct-2004 14:34 52K
    >
    > Additionally, there are some relevant guides at http://tldp.org/guides.html
    >
    > * Securing & Optimizing Linux: The Ultimate Solution
    > * The Linux Cookbook: Tips and Techniques for Everyday Use
    > * Linux Administrator's Security Guide
    >
    > >My approach is more from a nothing to everything approach and i have 3
    > >parts already. I am now writing the last part (IMHO), but I would like
    > >to have some input to see where this guide could be more expanded or
    > >made better.

    >
    > Part 1
    >
    > you can set in these policies are ACCEPT,DENY and DROP. the difference
    >
    > The difference (missed capitalization in a number of places besides this.
    > This also applies to the second and third part.)
    >
    > between DENY and DROP is that DROP will just disregard the package
    > whereas DENY will send a TCP package back telling the other machine
    > that the traffic has been denied.
    >
    > send a TCP packet
    >
    > Part 2
    >
    > std_ports="22,80,443''
    >
    > Wrong closing quote (several places besides this)
    >
    > rules and the packet will go through all the rules uuntil the end of
    >
    > speel chequer not used ;-)
    >
    > Part 3
    >
    > Now, the explanation. The AP is WEP capable only and WEP is good but
    > not good enough for us security people).
    >
    > WEP is not good enough for anyone. WEP64 and WEP128 can easily be cracked.
    > WPA is better. WPA-PSK with TKIP is very safe. The usual recommendation is
    > 20 characters or more, consisting of non-dictionary words. WPA encryption
    > based on a PSK (Pre Shared Key) has been cracked, but only with weak (ether
    > very short or short dictionary words), and not TKIP which changes the
    > encryption key frequently. (People rant about this subject in the Usenet
    > newsgroup 'alt.internet.wireless' quite frequently.)
    >
    > The 3 networks we are using here are :
    > * 192.168.0.0/24 for our MAIN network on eth
    > * 192.168.1.0/24 for our WLAN on eth1
    > * 192.168.2.0/24 for our OpenVPN WLAN network on tun0
    > * 192.168.3.0/24 for our OpenVPN PUBLIC network on tun1
    >
    > 3??? Oh, you're a Geek, and count from zero. OK ;-)
    >
    > $IPT -A local -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
    >
    > Minor quibble - I'd use 127.0.0.0/8, simply because the system knows
    > that any address in that range is loopback. Try pinging/connecting to
    > 127.127.127.127 - and your own computer will answer.
    >
    > ========================
    >
    > Looks good.
    >
    > >This will be converted into a pdf once the whole is complete for easy
    > >offline reading.

    >
    > Think also of leaving it as raw text - the advantage is that you can use
    > a search feature like 'grep' to find keywords which is impossible with a
    > pdf.
    >
    > >PS: yes i am posting this in a couple of groups, but not at once.

    >
    > Would be better to cross-post (put all the newsgroups in a comma
    > separated line) and set a Followup-To: as I have done here than to
    > individually post.. (I also see two copies of the other post to
    > alt.computer.security and comp.os.linux.networking.)
    >
    > Old guy



  5. Re: iptables easy to understand articles/pdf

    On 21 Dec 2006, in the Usenet newsgroup comp.os.linux.security, in article
    <1166743530.156425.309770@i12g2000cwa.googlegroups. com>, Flosse wrote:

    >Hi Moe, excellent, thank you very much for the comments (and
    >corrections). I will change the quibbles as soon as I get home.


    Please do post an announcement when the rest of the document is available.

    >about the raw text, i guess I can leave that as well yes. My main point
    >was that mainly there are so many documents that a person would have to
    >read to get a grasp of iptables, that a single one would be nicer and
    >easier, imho.


    Oh, I agree with that. The reason I was suggesting having the text
    version available is the ease in searching for things that the document
    may contain. I'm sure you are used to using 'apropos' and 'whatis'
    to search for man pages (as one example), but I've also found it very
    useful to use grep (or zgrep) to search for keywords within the man
    pages.

    [compton ~]$ apropos routing | wc -l
    2
    [compton ~]$ find /usr/share/man/ -mindepth 2 -type f | wc -l
    3018
    [compton ~]$ zgrep -l routing /usr/share/man/man*/* | wc -l
    17
    [compton ~]$

    That's just one example where being able to access the _words_ in a
    document may be useful. Going along with your point, there are 448
    different HOWTOs and mini-howtos (totalling 3.8 million words), and
    29 of them mention 'iptables'. But what use is that if you can't
    _find_ which one?

    Old guy

+ Reply to Thread