Hi all,

Anybody can tell me about any trade off and limitations of iptables being used as firewall?

For example it's not expected from it to provide authentication at transport layer so it can not be considered as its limitations!

Any security that a firewall at this layer suppose to provide but iptables doesn't! Any particular limitations within its chains and rules which give a way to attackers to get into our network?

I appreciate any Info. or hints or clear resource...

Thanks in advance,

This is the homesite and has lots of reading http://www.netfilter.org/

Maybe I am misunderstanding your question, but you seem to be complaining that a firewall only does the things that a firewall should do and doesn't do other, non-firewall, things. While it is true that, on some other platforms, hybrid products that combine a firewall with some other functionality (eg, virus scan) are quite common, the *nix philosophy is to have a tool that does one thing and does it well. The other approach seems to be fated to produce a compromise solution.

Of course, it would be a serious mistake to think of a firewall as being some kind of magic piece of software that makes all of the risks posed by bad guys go away. No one piece of software can do that, and if this is what you want you should be investigating what other measures you should be taking in addition to having a firewall.

You might want to look at the iptables documentation at frozentux to see the range of things that iptables/netfilter can do (once configured correctly).

The netfilter is a packet firewall.

Another type of firewall looks more at the protocols. Netfilter isn't the best as an application firewall, but it that is what you want, look at squid. You might also want to look for documentation on transparent inline firewalls that will use both netfilter and contain an IDS such as Snort.

Thank you from all...

But I think I was not clear on my question. I'm trying to put it in a better way;

We have different type of firewalls except netfilter/iptables such as those in Windows system which I'm not aware how Exactly they work...

I'm saying if I suggest somebody to use iptables as a firewall (assuming they configure it correctly and completely!), what are the possible drawbacks with this iptables firewall?

Are there any type of known attacks that can ANYWAY, even with a comprehensive and carefully selected rules, compromise the network behind the firewall?

I give you a drawback example of iptables inplace as a firewall; If network grow and if get to have segmented LANs and also in case of having DMZ... the complexity of IPtable firewalls can increase a LOT and in some cases it's almost impossible to handle as I heard!

I need to think of anything else that can make IPtables as "not a good choice" for firewall in my network... and this is what I'm searching for!


Any more idea will be appreciated,
Thanks,

I've been using iptables for years and I'm struggling to find any drawbacks which I could share with you. I'm not saying there aren't any (everything has drawbacks), but it's really hard finding drawbacks for something which does what it's designed to do so well.

Yes. This is true for any firewall on Earth.

That's totally bogus - or at the very least, completely subjective. I would argue that the opposite is true. When you've created a decent iptables script, scalability is trivial. I've used iptables for large projects, and I've always had a really nice experience with it. That said, I have seen many people write iptables scripts that are unbelievably over-complicated, so maybe those types of users would have problems when it comes to expansion. Personally, I like to keep my scripts as simple as possible and on a large script I am always on the lookout for ways in which I can trim the fat.

I think the number one reason why iptables could be a bad choice is if you don't have someone who is comfortable with and sufficiently adept (relative to your needs) using it. In the first part of your last post, you lay down the assumption that they will "configure [iptables] correctly and completely" - that's a pretty bold assumption, considering its a game-changing factor. Besides, anyone who is able to adequately administer ANY modern firewall solution (whether it be GNU/Linux-powered or not) should be able to deliver the results you are looking for, and inform you of what won't be possible to achieve (due to technical limitations or lack of necessary skills, for example) even before he/she gets started.

This will depend on the skill of the ruleset maintainer(s). A little organization and scripting magic, and a large, complex ruleset can be made manageable. For that matter, front-end GUIs for the less savvy, and even entire firewall "appliance" distributions, are available.

In other words, I've also read the complaint you're describing -- normally in favor of a different packet filtering firewall. But I don't agree with it.

Yes, in Windows world, where people (end users, anyway) do not, by and large understand networking and don't understand security, a different appracah is taken.

In general, windows end users are not prepared to configure several security products and want a 'one stop shop', and, amongst other things, this leads to an idiotically misconceived notion of what a firewall does for them.

If you understand what a firewall does, and you know how to configure it correctly (and a prerequisite for that is to understand networking), then iptables/netfilter does what it does well. If you don't understand why this isn't a complete protection against assorted types of malware, you have more homework to do.

Its a packet filtering firewall. It filters packets. It deals with connections.

Of course there are; most malware is structured in a way that packets and connections originate in a palusible way. In this case, it is clearly inadequate to rely on any firewall as your only security measure.

Wrong. If you look around the internet, you will find an example of people taking almost every unbelievable position, so you have to be careful about which things you give credence to and which you don't.

To avoid this you have to get both the network structure correct and be thoughtful about how you configure the ruleset. I think that you will be able to find many examples where people did not do one or the other of these.

If you structure things badly you will have problems as things grow and as, at the time that write the initial ruleset you may not even anticipate that you will have a DMZ, this is unfotunatley easy.

So why your questions been about something else?? Not about your network, but about what you should tell someone else, not about whether iptables/netfilter is good at packet filtering, but whether a firewall could allows various attacks.

win32sux, your explanation is reasonable and it gave me a better direction to think about whole matter...

When I said "... if I suggest somebody to use..." I was only trying to clear my point, otherwise I need to understand the iptables for my own sake and not for saying anything to anybody else. Also sometimes you need to share your ideas, right or wrong, to find out what you are exactly looking for. I believe I'm one of those.. Thanks salasi, your notes helped in that way.

Maybe the next step for me is to search and study those possible attacks on iptables... and how I can minimize the possibility of those.

I don't think you'll find much material for "attacks on iptables" (considering that it's only a tool used to configure the kernel's packet filter). You'd probably be much better off studying which attacks iptables can be used to protect against, and what kernel-hardening options will benefit you. Make sure you don't limit yourself to iptables, since the functionality it provides is quite specific. To get an introductory taste of what things look like when you move a bit beyond iptables, I highly recommend the book Linux Firewalls: Attack Detection and Response. But generally speaking, you definitely should familiarize yourself with security tools which operate at the application layer, since that is where most of the action takes place.

... and just to point out that every Linux system comes with iptables by default. You would tweak each machine's f/w to do whatever is appropriate.
You don't just setup a massively complex f/w n the gateway and hope it suffices.
It won't do the job.

First of all, iptables isn't a firewall. It is a command to manipulate the netfilter rules in the kernel. Netfilter also allows plugins so that you can have some tasks be performed by programs (compiled or scripts) outside the kernel. This is often used for using Dans Guardian with a database backend to use a massive blacklist. One restriction of the kernel is the amount of memory you can use. So you can't simply import a blacklist of 50,000 IP addresses. You can use a plugin however and offload this to a script or program that determines whether to blacklist a site.

There are programs that provide a GUI frontend to iptables that you can use to design your rules.

If you want to learn about shortcoming of firewalls, I would suggest buying the "Nmap Book". It has information on how it is sometimes possible to use certain scans that might get through a firewall.

Another limitation may be hardware related. The x86 architecture has a limited bandwidth. A dedicated firewall device may use hardware to do some things that are normally handled in software. But don't be surprised if such a device is also Linux based. Many Cisco devices for example run linux.