LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-21-2009, 09:15 PM   #1
L_Masoumi
LQ Newbie
 
Registered: Mar 2008
Location: Australia
Distribution: Knoppix 6.0.1, Fedora 9, Ubuntu 8.10
Posts: 8

Rep: Reputation: 0
Netfilter/IPtables Trade off!


Hi all,

Anybody can tell me about any trade off and limitations of iptables being used as firewall?

For example it's not expected from it to provide authentication at transport layer so it can not be considered as its limitations!

Any security that a firewall at this layer suppose to provide but iptables doesn't! Any particular limitations within its chains and rules which give a way to attackers to get into our network?

I appreciate any Info. or hints or clear resource...

Thanks in advance,
 
Old 05-22-2009, 01:04 AM   #2
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,311

Rep: Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040
This is the homesite and has lots of reading http://www.netfilter.org/
 
Old 05-22-2009, 08:19 AM   #3
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,916

Rep: Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777
Quote:
Originally Posted by L_Masoumi View Post
For example it's not expected from it to provide authentication at transport layer so it can not be considered as its limitations!
Maybe I am misunderstanding your question, but you seem to be complaining that a firewall only does the things that a firewall should do and doesn't do other, non-firewall, things. While it is true that, on some other platforms, hybrid products that combine a firewall with some other functionality (eg, virus scan) are quite common, the *nix philosophy is to have a tool that does one thing and does it well. The other approach seems to be fated to produce a compromise solution.

Of course, it would be a serious mistake to think of a firewall as being some kind of magic piece of software that makes all of the risks posed by bad guys go away. No one piece of software can do that, and if this is what you want you should be investigating what other measures you should be taking in addition to having a firewall.

You might want to look at the iptables documentation at frozentux to see the range of things that iptables/netfilter can do (once configured correctly).
 
Old 05-22-2009, 08:24 AM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
The netfilter is a packet firewall.

Another type of firewall looks more at the protocols. Netfilter isn't the best as an application firewall, but it that is what you want, look at squid. You might also want to look for documentation on transparent inline firewalls that will use both netfilter and contain an IDS such as Snort.
 
Old 05-23-2009, 12:33 AM   #5
L_Masoumi
LQ Newbie
 
Registered: Mar 2008
Location: Australia
Distribution: Knoppix 6.0.1, Fedora 9, Ubuntu 8.10
Posts: 8

Original Poster
Rep: Reputation: 0
Thank you from all...

But I think I was not clear on my question. I'm trying to put it in a better way;

We have different type of firewalls except netfilter/iptables such as those in Windows system which I'm not aware how Exactly they work...

I'm saying if I suggest somebody to use iptables as a firewall (assuming they configure it correctly and completely!), what are the possible drawbacks with this iptables firewall?

Are there any type of known attacks that can ANYWAY, even with a comprehensive and carefully selected rules, compromise the network behind the firewall?

I give you a drawback example of iptables inplace as a firewall; If network grow and if get to have segmented LANs and also in case of having DMZ... the complexity of IPtable firewalls can increase a LOT and in some cases it's almost impossible to handle as I heard!

I need to think of anything else that can make IPtables as "not a good choice" for firewall in my network... and this is what I'm searching for!


Any more idea will be appreciated,
Thanks,
 
Old 05-23-2009, 12:46 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by L_Masoumi View Post
Thank you from all...

But I think I was not clear on my question. I'm trying to put it in a better way;

We have different type of firewalls except netfilter/iptables such as those in Windows system which I'm not aware how Exactly they work...

I'm saying if I suggest somebody to use iptables as a firewall (assuming they configure it correctly and completely!), what are the possible drawbacks with this iptables firewall?
I've been using iptables for years and I'm struggling to find any drawbacks which I could share with you. I'm not saying there aren't any (everything has drawbacks), but it's really hard finding drawbacks for something which does what it's designed to do so well.

Quote:
Are there any type of known attacks that can ANYWAY, even with a comprehensive and carefully selected rules, compromise the network behind the firewall?
Yes. This is true for any firewall on Earth.

Quote:
I give you a drawback example of iptables inplace as a firewall; If network grow and if get to have segmented LANs and also in case of having DMZ... the complexity of IPtable firewalls can increase a LOT and in some cases it's almost impossible to handle as I heard!
That's totally bogus - or at the very least, completely subjective. I would argue that the opposite is true. When you've created a decent iptables script, scalability is trivial. I've used iptables for large projects, and I've always had a really nice experience with it. That said, I have seen many people write iptables scripts that are unbelievably over-complicated, so maybe those types of users would have problems when it comes to expansion. Personally, I like to keep my scripts as simple as possible and on a large script I am always on the lookout for ways in which I can trim the fat.

Quote:
I need to think of anything else that can make IPtables as "not a good choice" for firewall in my network... and this is what I'm searching for!
I think the number one reason why iptables could be a bad choice is if you don't have someone who is comfortable with and sufficiently adept (relative to your needs) using it. In the first part of your last post, you lay down the assumption that they will "configure [iptables] correctly and completely" - that's a pretty bold assumption, considering its a game-changing factor. Besides, anyone who is able to adequately administer ANY modern firewall solution (whether it be GNU/Linux-powered or not) should be able to deliver the results you are looking for, and inform you of what won't be possible to achieve (due to technical limitations or lack of necessary skills, for example) even before he/she gets started.

Last edited by win32sux; 05-23-2009 at 03:29 PM. Reason: Spelling.
 
Old 05-23-2009, 02:28 PM   #7
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by L_Masoumi
I give you a drawback example of iptables inplace as a firewall; If network grow and if get to have segmented LANs and also in case of having DMZ... the complexity of IPtable firewalls can increase a LOT and in some cases it's almost impossible to handle as I heard!
This will depend on the skill of the ruleset maintainer(s). A little organization and scripting magic, and a large, complex ruleset can be made manageable. For that matter, front-end GUIs for the less savvy, and even entire firewall "appliance" distributions, are available.

In other words, I've also read the complaint you're describing -- normally in favor of a different packet filtering firewall. But I don't agree with it.
 
Old 05-24-2009, 04:13 AM   #8
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,916

Rep: Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777
Quote:
Originally Posted by L_Masoumi View Post
We have different type of firewalls except netfilter/iptables such as those in Windows system which I'm not aware how Exactly they work...
Yes, in Windows world, where people (end users, anyway) do not, by and large understand networking and don't understand security, a different appracah is taken.

In general, windows end users are not prepared to configure several security products and want a 'one stop shop', and, amongst other things, this leads to an idiotically misconceived notion of what a firewall does for them.

If you understand what a firewall does, and you know how to configure it correctly (and a prerequisite for that is to understand networking), then iptables/netfilter does what it does well. If you don't understand why this isn't a complete protection against assorted types of malware, you have more homework to do.

Quote:
I'm saying if I suggest somebody to use iptables as a firewall (assuming they configure it correctly and completely!), what are the possible drawbacks with this iptables firewall?
Its a packet filtering firewall. It filters packets. It deals with connections.

Quote:
Are there any type of known attacks that can ANYWAY, even with a comprehensive and carefully selected rules, compromise the network behind the firewall?
Of course there are; most malware is structured in a way that packets and connections originate in a palusible way. In this case, it is clearly inadequate to rely on any firewall as your only security measure.

Quote:
I give you a drawback example of iptables inplace as a firewall; If network grow and if get to have segmented LANs and also in case of having DMZ... the complexity of IPtable firewalls can increase a LOT and in some cases it's almost impossible to handle as I heard!
Wrong. If you look around the internet, you will find an example of people taking almost every unbelievable position, so you have to be careful about which things you give credence to and which you don't.

To avoid this you have to get both the network structure correct and be thoughtful about how you configure the ruleset. I think that you will be able to find many examples where people did not do one or the other of these.

If you structure things badly you will have problems as things grow and as, at the time that write the initial ruleset you may not even anticipate that you will have a DMZ, this is unfotunatley easy.

Quote:
I need to think of anything else that can make IPtables as "not a good choice" for firewall in my network... and this is what I'm searching for!
So why your questions been about something else?? Not about your network, but about what you should tell someone else, not about whether iptables/netfilter is good at packet filtering, but whether a firewall could allows various attacks.
 
Old 05-24-2009, 06:42 AM   #9
L_Masoumi
LQ Newbie
 
Registered: Mar 2008
Location: Australia
Distribution: Knoppix 6.0.1, Fedora 9, Ubuntu 8.10
Posts: 8

Original Poster
Rep: Reputation: 0
win32sux, your explanation is reasonable and it gave me a better direction to think about whole matter...

Quote:
So why your questions been about something else?? Not about your network, but about what you should tell someone else, not about whether iptables/netfilter is good at packet filtering, but whether a firewall could allows various attacks.
When I said "... if I suggest somebody to use..." I was only trying to clear my point, otherwise I need to understand the iptables for my own sake and not for saying anything to anybody else. Also sometimes you need to share your ideas, right or wrong, to find out what you are exactly looking for. I believe I'm one of those.. Thanks salasi, your notes helped in that way.

Maybe the next step for me is to search and study those possible attacks on iptables... and how I can minimize the possibility of those.
 
Old 05-24-2009, 05:28 PM   #10
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by L_Masoumi View Post
Maybe the next step for me is to search and study those possible attacks on iptables... and how I can minimize the possibility of those.
I don't think you'll find much material for "attacks on iptables" (considering that it's only a tool used to configure the kernel's packet filter). You'd probably be much better off studying which attacks iptables can be used to protect against, and what kernel-hardening options will benefit you. Make sure you don't limit yourself to iptables, since the functionality it provides is quite specific. To get an introductory taste of what things look like when you move a bit beyond iptables, I highly recommend the book Linux Firewalls: Attack Detection and Response. But generally speaking, you definitely should familiarize yourself with security tools which operate at the application layer, since that is where most of the action takes place.

Last edited by win32sux; 05-24-2009 at 06:59 PM. Reason: Grammar, spelling, and punctuation.
 
Old 05-25-2009, 01:00 AM   #11
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,311

Rep: Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040
... and just to point out that every Linux system comes with iptables by default. You would tweak each machine's f/w to do whatever is appropriate.
You don't just setup a massively complex f/w n the gateway and hope it suffices.
It won't do the job.
 
Old 05-25-2009, 10:29 AM   #12
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
First of all, iptables isn't a firewall. It is a command to manipulate the netfilter rules in the kernel. Netfilter also allows plugins so that you can have some tasks be performed by programs (compiled or scripts) outside the kernel. This is often used for using Dans Guardian with a database backend to use a massive blacklist. One restriction of the kernel is the amount of memory you can use. So you can't simply import a blacklist of 50,000 IP addresses. You can use a plugin however and offload this to a script or program that determines whether to blacklist a site.

There are programs that provide a GUI frontend to iptables that you can use to design your rules.

If you want to learn about shortcoming of firewalls, I would suggest buying the "Nmap Book". It has information on how it is sometimes possible to use certain scans that might get through a firewall.

Another limitation may be hardware related. The x86 architecture has a limited bandwidth. A dedicated firewall device may use hardware to do some things that are normally handled in software. But don't be surprised if such a device is also Linux based. Many Cisco devices for example run linux.
 
  


Reply

Tags
firewall, iptables, limitations


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
openvpn and netfilter/iptables number-g Linux - Networking 0 03-27-2009 05:32 PM
what is exactly difference between iptables and netfilter? soltanihaji Linux - Software 2 08-04-2008 05:03 AM
what is exactly difference between iptables and netfilter? soltanihaji Linux - Newbie 2 08-03-2008 01:38 AM
Netfilter / IPtables SWAT Linux - Newbie 3 11-11-2003 10:04 AM
Netfilter/iptables on Linux Debra Linux - Newbie 0 10-03-2002 07:33 PM


All times are GMT -5. The time now is 02:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration