iptables easy to understand articles/pdf

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi, I am working on a longish "tutorial" that explains iptables for
pretty much anyone. I have encountered so far only pretty high level
documents that go immediately into the code. My approach is more from a
nothing to everything approach and i have 3 parts already. I am now
writing the last part (IMHO), but I would like to have some input to
see where this guide could be more expanded or made better. This will
be converted into a pdf once the whole is complete for easy offline
My last document is about different iptables modules and i haven't
published it yet but the other 3 are online already. Any suggestions
please email me, i am looking forward to it.
Part 1:
http://blog.2blocksaway.com/2006/10/23/iptables-explained-understanding-and-creating-your-own /
Part 2:
http://blog.2blocksaway.com/2006/11/13/iptables-explained-part-2-or-a-how-for-iptables-to-about-efficient-rule-design /
and Part 3:
http://blog.2blocksaway.com/2006/11/15/iptables-explained-part-3-creating-a-complex-iptables-script /

Thanks already for any constructive criticism.


PS: yes i am posting this in a couple of groups, but not at once.

Re: iptables easy to understand articles/pdf

On 20 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in article
newsgroup comp.os.linux.security in article

Quoted text here. Click to load it

Where have you looked?  A Linux distribution comes with a bunch of HOWTOs
and mini-howtos aimed at answering a lot of the questions a user may have.
Looking at the current documents (here from sunsite):

-rw-rw-r-- 1 gferg ldp   85507 Aug 20  2001 Firewall-HOWTO
-rw-rw-r-- 1 gferg ldp  271987 Nov 27 14:45 HOWTO-INDEX
-rw-rw-r-- 1 gferg ldp  708351 Nov 14  2005 IP-Masquerade-HOWTO
-rw-rw-r-- 1 gferg ldp   17605 Jul 21  2004 Masquerading-Simple-HOWTO
-rw-rw-r-- 1 gferg ldp  155096 Jan 23  2004 Security-HOWTO
-rw-rw-r-- 1 gferg ldp  278012 Jul 23  2002 Security-Quickstart-HOWTO
-rw-rw-r-- 1 gferg ldp  287057 Jul 23  2002 Security-Quickstart-Redhat-HOWTO

but the more authoritative documents are on Rusty Russell's site at
http://www.iptables.org/documentation/HOWTO/ - the so-called "unofficial"

 [TXT]  NAT-HOWTO.txt                        17-Oct-2004 14:34   25K
 [TXT]  netfilter-double-nat-HOWTO.txt       17-Oct-2004 14:34  9.4K
 [TXT]  netfilter-extensions-HOWTO.txt       17-Oct-2004 14:34   79K
 [TXT]  netfilter-hacking-HOWTO.txt          17-Oct-2004 14:35   84K
 [TXT]  netfilter-mirror-HOWTO.txt           17-Oct-2004 14:33  8.1K
 [TXT]  networking-concepts-HOWTO.txt        17-Oct-2004 14:34   28K
 [TXT]  packet-filtering-HOWTO.txt           17-Oct-2004 14:34   52K

Additionally, there are some relevant guides at http://tldp.org/guides.html

     * Securing & Optimizing Linux: The Ultimate Solution
     * The Linux Cookbook: Tips and Techniques for Everyday Use
     * Linux Administrator's Security Guide

Quoted text here. Click to load it

Part 1

   you can set in these policies are ACCEPT,DENY and DROP. the difference

The difference (missed capitalization in a number of places besides this.
This also applies to the second and third part.)

   between DENY and DROP is that DROP will just disregard the package
   whereas DENY will send a TCP package back telling the other machine
   that the traffic has been denied.

send a TCP packet

Part 2


Wrong closing quote (several places besides this)

   rules and the packet will go through all the rules uuntil the end of

speel chequer not used  ;-)

Part 3

   Now, the explanation. The AP is WEP capable only and WEP is good but
   not good enough for us security people).

WEP is not good enough for anyone. WEP64 and WEP128 can easily be cracked.
WPA is better. WPA-PSK with TKIP is very safe. The usual recommendation is
20 characters or more, consisting of non-dictionary words. WPA encryption
based on a PSK (Pre Shared Key) has been cracked, but only with weak (ether
very short or short dictionary words), and not TKIP which changes the
encryption key frequently. (People rant about this subject in the Usenet
newsgroup 'alt.internet.wireless' quite frequently.)

   The 3 networks we are using here are :
     * for our MAIN network on eth
     * for our WLAN on eth1
     * for our OpenVPN WLAN network on tun0
     * for our OpenVPN PUBLIC network on tun1

3???   Oh, you're a Geek, and count from zero.  OK   ;-)

     $IPT -A local -s -d -j ACCEPT

Minor quibble - I'd use, simply because the system knows
that any address in that range is loopback. Try pinging/connecting to - and your own computer will answer.


Looks good.

Quoted text here. Click to load it

Think also of leaving it as raw text - the advantage is that you can use
a search feature like 'grep' to find keywords which is impossible with a

Quoted text here. Click to load it

Would be better to cross-post (put all the newsgroups in a comma
separated line) and set a Followup-To: as I have done here than to
individually post.. (I also see two copies of the other post to
alt.computer.security and comp.os.linux.networking.)

        Old guy

Re: iptables easy to understand articles/pdf

Hi Moe, excellent, thank you very much for the comments (and
corrections). I will change the quibbles as soon as I get home.
about the raw text, i guess I can leave that as well yes. My main point
was that mainly there are so many documents that a person would have to
read to get a grasp of iptables, that a single one would be nicer and
easier, imho.

Again thanks for the comments and anyone who has still something to add
or suggestions please do so anyone who wants something to be added in
the whole, like something they want explained, please let me know.



Moe Trin wrote:
Quoted text here. Click to load it

Re: iptables easy to understand articles/pdf

On 21 Dec 2006, in the Usenet newsgroup comp.os.linux.security, in article

Quoted text here. Click to load it

Please do post an announcement when the rest of the document is available.

Quoted text here. Click to load it

Oh, I agree with that.  The reason I was suggesting having the text
version available is the ease in searching for things that the document
may contain.   I'm sure you are used to using 'apropos' and 'whatis'
to search for man pages (as one example), but I've also found it very
useful to use grep (or zgrep) to search for keywords within the man

[compton ~]$ apropos routing | wc -l
[compton ~]$ find /usr/share/man/ -mindepth 2 -type f | wc -l
[compton ~]$ zgrep -l routing /usr/share/man/man*/* | wc -l
[compton ~]$

That's just one example where being able to access the _words_ in a
document may be useful.  Going along with your point, there are 448
different HOWTOs and mini-howtos (totalling 3.8 million words), and
29 of them mention 'iptables'.  But what use is that if you can't
_find_ which one?

        Old guy

Site Timeline